No need to add static ARPs for VIPs or fake MAC addresses. What does the router's ARP table say the VIP's MAC is?
How it works is like this (Shane P. gave a good explanation in recent days here): [It uses a Virtual IP for the cluster, it's just that the MAC associated with that VIP will float between the primary and standby during failovers. So looking at our internal-facing interface, if firewall1 is 10.1.1.1 and firewall2 is 10.1.1.2, and the ClusterXL VIP is 10.1.1.3. During normal operation the MAC for 10.1.1.3 will be the physical interface of 10.1.1.1. And during a failover, firewall2 issues a GARP and the MAC for 10.1.1.3 becomes the MAC of the physical interface for firewall2, correct?] Assuming that there is not another firewall sitting between your mgmt server and your cluster, then there is no need for explicit rules for the cluster-to-mgmt communication to take place. No need for a rule for the synch communication between the cluster members, either. It is all implied. HTH. Neil Delacruz On 1/23/06, Sam Ghannadi <[EMAIL PROTECTED]> wrote: > > right now in my test lab (I have a Cisco Catalysit 500 > on inside and Cisco 2970 on the outside, a router, two > SPLAT cluster Member NGX, and windows 2003 as MGMT, > the host behind the firewall is HIDE nadded, but no > internet access. > Cluser XL has an External VIP and internal VIP, do I > need to add static ARP on the router for External VIP > and a Fake Mac address to be able to have internet > access? > How does it really works? > Thanks, > sam > > --- Sam Ghannadi < [EMAIL PROTECTED]> wrote: > > > I am setting up a Splat Cluster XL NGX, except the > > rules I need to make the communication between MGMT > > and Cluster object, do I need to make any rules for > > sync and how? > > Thanks > > Sam > > > > > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > > protection around > > http://mail.yahoo.com > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
