Sergio Alvarez a écrit :
Hello,
I have customer that currently has a couple of Nokias working with IPSO
Clustering and off course Check Point (NGX R60 HFA04).
Early this week he wanted to enable RIP on those Nokia so they would
"talk"
with some peripheral routers, but when trying to enable the option via
Voyager, a message came up saying it was not possible because they were
clustered.
Then they decided to pass the RIP traffic through the firewall
cluster, so
they enabled that in the implied rules (making rule "log implied rules
was
checked"), then end up also creating a specific rule for the traffic in
rulebase, but that RIP traffic not only never goes to through but is also
never showed in the SmartView Tracker, they installed a sniffer on the
same
network of the cluster interface that should receive the traffic and
they in
fact see those packets coming and directed to the correct IP.
So far no tests have been done with fw monitor as I was not with them
during
those tests and even when I sent the sintaxis they did not seem to try
it,
tomorrow I will give them a visit to work on this and try that, but in
the
mean time, I was wondering if this has something to do with the fact that
this is, again, an IPSO Cluster. Could it be that something needs to
be done
at a platform level to let this RIP multicast/broadcast go through?
I have worked with multiple Check Point clustering environments but
almost
all of them over SPLAT, so Nokia is one of my weaknesses.
Any help will be very appreciated.
hello,
I worked some years ago with RIP in a vrrp environment, and it worked
quite fine.
the nokias only listened to RIP updates.
you should check the antispoofing settings because of the multicast that
is used.
and I think this would also be an issue if you plan to do some RIP
through the firewall,
as the multicast or broadcast used for RIP has to go through your cluster.
could it be possible to set a GRE tunnel between your routers ?
Regards
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
