Thanks a lot. I have found a few things since I posted this and in fact I would have to disable antispoofing in order to allow that RIP through the cluster, which off course will not sound very good to my customer, but now you have given me a great idea with the possibility of using a GRE tunnel between routers.
I really appreciate your help. Regards On 7/4/07, pkc_mls <[EMAIL PROTECTED]> wrote:
Sergio Alvarez a écrit : > Hello, > > I have customer that currently has a couple of Nokias working with IPSO > Clustering and off course Check Point (NGX R60 HFA04). > Early this week he wanted to enable RIP on those Nokia so they would > "talk" > with some peripheral routers, but when trying to enable the option via > Voyager, a message came up saying it was not possible because they were > clustered. > Then they decided to pass the RIP traffic through the firewall > cluster, so > they enabled that in the implied rules (making rule "log implied rules > was > checked"), then end up also creating a specific rule for the traffic in > rulebase, but that RIP traffic not only never goes to through but is also > never showed in the SmartView Tracker, they installed a sniffer on the > same > network of the cluster interface that should receive the traffic and > they in > fact see those packets coming and directed to the correct IP. > So far no tests have been done with fw monitor as I was not with them > during > those tests and even when I sent the sintaxis they did not seem to try > it, > tomorrow I will give them a visit to work on this and try that, but in > the > mean time, I was wondering if this has something to do with the fact that > this is, again, an IPSO Cluster. Could it be that something needs to > be done > at a platform level to let this RIP multicast/broadcast go through? > I have worked with multiple Check Point clustering environments but > almost > all of them over SPLAT, so Nokia is one of my weaknesses. > > Any help will be very appreciated. > hello, I worked some years ago with RIP in a vrrp environment, and it worked quite fine. the nokias only listened to RIP updates. you should check the antispoofing settings because of the multicast that is used. and I think this would also be an issue if you plan to do some RIP through the firewall, as the multicast or broadcast used for RIP has to go through your cluster. could it be possible to set a GRE tunnel between your routers ? > Regards > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
-- Sergio Alvarez (506)8301342 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
