Cisco Switch Configuration to Make Multicast Load Sharing Working on Checkpoint ClusterXL Firewalls - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Friday, April 25, 2014

Cisco Switch Configuration to Make Multicast Load Sharing Working on Checkpoint ClusterXL Firewalls

Working on Checkpoint Cluster XL Load Sharing configuration, and found one blog post from Technopath LLC regarding Cisco switch configuration. It should be helpful for my next step.

The topology like this:


  1. Configure the following command on the internal router (usually it is layer 3 switch and 0100.5e16.0de2 is Internal Checkpoint VIP Multicast Mac Address):
    •  arp 192.168.20.2 0100.5e16.0de2 arpa  
  2. Configure the following commands on the internal switch where the port numbers shown below are the port numbers to which your firewall interfaces are connected:
    • mac address-table static 0100.5e16.0de2 vlan 10 interface gi1/0/2 gi1/0/3 gi1/0/4
    • no ip igmp snooping vlan 10
  3. The multicast mac address of the firewall cluster's internal VIP (shown above in the commands) is obtained by looking at the topology information of the cluster in the SmartDashboard and clicking on the edit option for the cluster IP and then clicking on the advanced button. That should show you the mulitcast MAC address. Checkpoint has an sk technote which shows a different way of getting the MAC address using the cphaconf debug_data command on the command line. This DOES NOT work as it gives you the wrong MAC address.
  4. The same configuration commands (with the correct IP and MAC for the external cluster) are performed on the external router pointing to the external VIP (0100.5e16.0de3 is Checkpoint External VIP Multicast Mac Address):
    •  arp 192.168.15.2 0100.5e16.0de3 arpa
  5. And the same configuration command on the external switch:
    • mac address-table static 0100.5e16.0de3 vlan 20 interface gi1/0/5 gi1/0/6 gi1/0/7
    • no ip igmp snooping vlan 20

No comments:

Post a Comment