Hi,
I have done some tests with VLAN (on Cisco Catalyst 2970) and SPLAT R55
HFA_16 or 18. All was fine. I setup all things with 'sysconfig'.
If I remember well, with sysconfig's menu, put 0.0.0.0 on an interface to
delete IP from this interface.
Here is my way of proceed, a bit like HFA upgrading on SPLAT R55 ClusterXL :
2) cphastop cluster member A
3) on cluster member A:
d) configure the corresponding switch port with the appropriate VLANs
a) set up VLANs on cluster member A with SYSCONFIG (easier than vconfig
calls, isn't it ?)
b) take the IP address off eth1 (possibly by replacing it with a bogus
one), assign IPs to the two VLANs
c) add routes as appropriate for the VLAN interfaces
ADD:e) Get topology from SmartConsole on member A (-> less possible errors)
and edit Topology on member B.
5) cphastart member A, cphastop member B
4) push policy with option "For Gateways install on all members, if it fails
do not install at all" unchecked in "Install Policy" window => here is some
break on sessions keeps betweens Cluster (because interface on each member
are quite different, synchronizing between each interface is not possible at
this time). Then, it will work again on member A.
6a-6d) repeat 3a-3d for member B
8) cphastart member B
7) push policy with option "For Gateways install on all members, if it fails
do not install at all" CHECKED in "Install Policy" window
Notes: I change your proceed because I think at starting number 4), your
policy and topology associated is not suitable to your interfaces/topology
of member active B: so downtime will start from 4) to 5).
Hope my way of thinking will help you.
Regards,
--
Fabrice Barutel
------------------------------
Date: Mon, 15 Jan 2007 15:47:11 -0700
From: Mark Senior <[EMAIL PROTECTED]>
Subject: VLANs and SPlat R55
Hello list
I've got a HA firewall, a pair of SPlat R55 boxen, on which I'm going to be
splitting one interface (of each member, obviously) into two VLANs. We'll
be swapping out some other network equipment at the same time, such that a
bit of downtime will be inevitable - so for now at least there's no need to
worry about keeping perfect uptime.
If there are any gotchas with this, I'd appreciate anyone who can point them
out to me.
For one thing, I recall reading (possibly in the archives of this list) that
you can't configure VLANs on SPlat R55, without also giving an IP address to
the interface itself. So for example, if you want an eth1.100 and eth1.200,
you have to give an IP and mask directly to eth1, even though the switch
won't accept those packets. Can anyone confirm this or correct it?
In this case, the IP address that's now on my eth1, will become the IP on
one of eth1's VLANs, and the other VLAN will get a new IP. From
Checkpoint's documentation of the ifconfig command, I don't see any obvious
way at the SPlat CLI to actually remove an IP address. But then
Checkpoint's docs for R55 are pretty lame... Some platforms' ifconfig's
have options like 'delete' or '-alias' to remove IP addresses and leave no
assigned address. Anyone know if SPlat's does? Or do I have to give the
interface a bogus address anyway?
Finally, with ifconfig and route, SPlat has the non-standard --save flag to
make your changes permanent (since you can't just edit rc files). With
vconfig do you need something similar, or do the changes automatically
survive a reboot?
So, I'm thinking of proceeding like this:
1) edit the topology in the SmartConsole
2) cphastop cluster member A
3) on cluster member A:
a) set up VLANs on cluster member A with various vconfig calls
b) take the IP address off eth1 (possibly by replacing it with a bogus
one), assign IPs to the two VLANs
c) add routes as appropriate for the VLAN interfaces
d) configure the corresponding switch port with the appropriate VLANs
4) push policy
5) cphastart member A, cphastop member B
6a-6d) repeat 3a-3d for member B
7) push policy again for good measure
8) cphastart member B
Anyone see any obvious flaws here?
Regards
Mark
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
