Results 1 to 4 of 4

Thread: Nokia VRRP setup

  1. #1
    Senior Member
    Join Date
    Jan 2002
    Posts
    458

    Post Nokia VRRP setup (good info for all FW people)

    For anyone who has never used VRRP for Nokia appliances running Checkpoint, I just wanted to point out a "gotcha" that you will probably come across during the configuration that seems to get me every time (for some reason, I always forget )

    After the VRRP configurations are done in Voyager, there is a rule that needs to be added to the Checkpoint rulebase before the FO configuration will work properly. You basically need to add a rule to allow VRRP multicast to be accepted on the VRRP interfaces. Now this is where I always screw it up. You would think that you would need a rule like this:

    SOURCE
    -------------
    FW1
    FW2

    DESTINATION
    ------------------
    FW1
    FW2

    SERVICE
    --------------
    VRRP

    ACTION
    ---------------
    Accept

    This you might think would allow VRRP multicast traffic to be sent between the 2 firewalls right? Wrong...this will not work!!!!

    The solution is actually found in the statement above. VRRP is actually multicast traffic, therefore the destination is not actually the VRRP interface on the firewall. Instead the destination should be the VRRP multicast address (224.0.0.18). So when it is all said and done, your CP rule should look something like this:

    SOURCE
    ------------
    FW1
    FW2

    DESTINATION
    ------------------
    VRRP-Multicast address (224.0.0.18)

    SERVICE
    -------------
    VRRP

    ACTION
    ------------
    ACCEPT

    Well, I do not know how many of you guys might find this information useful, but if you ever do need it, hopefully it will save you lots of troubleshooting, and you will not be as dumb as me and forget every time...lol

    The answer is not really difficult, but can be misleading because logic will lead you in the wrong direction!!

    Good Luck

    iNViCTuS

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    Maybe this thread should be moved to tutorials???

  3. #3
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    VRRP, yuck. and yeah it should be in tut's section. Nice to know.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  4. #4
    Same is true for OSPF and all other multi-cast protocols...

    etsh911

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •