-
February 28th, 2002, 06:44 PM
#1
Nokia VRRP setup (good info for all FW people)
For anyone who has never used VRRP for Nokia appliances running Checkpoint, I just wanted to point out a "gotcha" that you will probably come across during the configuration that seems to get me every time (for some reason, I always forget )
After the VRRP configurations are done in Voyager, there is a rule that needs to be added to the Checkpoint rulebase before the FO configuration will work properly. You basically need to add a rule to allow VRRP multicast to be accepted on the VRRP interfaces. Now this is where I always screw it up. You would think that you would need a rule like this:
SOURCE
-------------
FW1
FW2
DESTINATION
------------------
FW1
FW2
SERVICE
--------------
VRRP
ACTION
---------------
Accept
This you might think would allow VRRP multicast traffic to be sent between the 2 firewalls right? Wrong...this will not work!!!!
The solution is actually found in the statement above. VRRP is actually multicast traffic, therefore the destination is not actually the VRRP interface on the firewall. Instead the destination should be the VRRP multicast address (224.0.0.18). So when it is all said and done, your CP rule should look something like this:
SOURCE
------------
FW1
FW2
DESTINATION
------------------
VRRP-Multicast address (224.0.0.18)
SERVICE
-------------
VRRP
ACTION
------------
ACCEPT
Well, I do not know how many of you guys might find this information useful, but if you ever do need it, hopefully it will save you lots of troubleshooting, and you will not be as dumb as me and forget every time...lol
The answer is not really difficult, but can be misleading because logic will lead you in the wrong direction!!
Good Luck
iNViCTuS
-
March 1st, 2002, 06:39 PM
#2
Maybe this thread should be moved to tutorials???
-
March 1st, 2002, 06:47 PM
#3
VRRP, yuck. and yeah it should be in tut's section. Nice to know.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
-
March 14th, 2002, 08:30 PM
#4
Member
Same is true for OSPF and all other multi-cast protocols...
etsh911
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|