Multicast Firewall Load Sharing on Checkpoint ClusterXL Firewalls with Cisco Devices

Multicast Firewall Load Sharing on Checkpoint ClusterXL Firewalls with Cisco Devices.

 

  1. Configure the following command on the internal router:
    •  arp 192.168.20.2 0100.5e16.0de2 arpa
  2. Configure the following commands on the internal switch where the port numbers shown below are the port numbers to which your firewall interfaces are connected:
    • mac address-table static 0100.5e16.0de2 vlan 10 interface gi1/0/2 gi1/0/3 gi1/0/4
    • no ip igmp snooping vlan 10
  3. The multicast mac address of the firewall cluster’s internal VIP (shown above in the commands) is obtained by looking at the topology information of the cluster in theSmartDashboard and clicking on the edit option for the cluster IP and then clicking on the advanced button. That should show you the mulitcast MAC address. Checkpoint has an sk technote which shows a different way of getting the MAC address using the cphaconf debug_data command on the command line. This DOES NOT work as it gives you the wrong MAC address.
  4. The same configuration commands (with the correct IP and MAC for the external cluster) are performed on the external router pointing to the external VIP:
    •  arp 192.168.15.2 0100.5e16.0de3 arpa
  5. And the same configuration command on the external switch:
    • mac address-table static 0100.5e16.0de3 vlan 20 interface gi1/0/5 gi1/0/6 gi1/0/7
    • no ip igmp snooping vlan 20

 

 

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s