Mark Senior a écrit :
Hello list
I've got a HA firewall, a pair of SPlat R55 boxen, on which I'm going
to be
splitting one interface (of each member, obviously) into two VLANs.
We'll
be swapping out some other network equipment at the same time, such
that a
bit of downtime will be inevitable - so for now at least there's no
need to
worry about keeping perfect uptime.
If there are any gotchas with this, I'd appreciate anyone who can
point them
out to me.
For one thing, I recall reading (possibly in the archives of this
list) that
you can't configure VLANs on SPlat R55, without also giving an IP
address to
the interface itself. So for example, if you want an eth1.100 and
eth1.200,
you have to give an IP and mask directly to eth1, even though the switch
won't accept those packets. Can anyone confirm this or correct it?
Hi,
on IPSO, I used some trunks, and the restriction comes from the network
equipment I think.
you cannot bind one port to a vlan if you set a trunk (ie multiple vlans
on one link) to this port.
In this case, the IP address that's now on my eth1, will become the IP on
one of eth1's VLANs, and the other VLAN will get a new IP. From
Checkpoint's documentation of the ifconfig command, I don't see any
obvious
way at the SPlat CLI to actually remove an IP address. But then
Checkpoint's docs for R55 are pretty lame... Some platforms' ifconfig's
have options like 'delete' or '-alias' to remove IP addresses and
leave no
assigned address. Anyone know if SPlat's does? Or do I have to give the
interface a bogus address anyway?
check the files in /etc after your sysconfig to see how the settings are
done after the reboot.
Finally, with ifconfig and route, SPlat has the non-standard --save
flag to
make your changes permanent (since you can't just edit rc files). With
vconfig do you need something similar, or do the changes automatically
survive a reboot?
So, I'm thinking of proceeding like this:
1) edit the topology in the SmartConsole
2) cphastop cluster member A
3) on cluster member A:
a) set up VLANs on cluster member A with various vconfig calls
b) take the IP address off eth1 (possibly by replacing it with a bogus
one), assign IPs to the two VLANs
c) add routes as appropriate for the VLAN interfaces
d) configure the corresponding switch port with the appropriate VLANs
4) push policy
5) cphastart member A, cphastop member B
6a-6d) repeat 3a-3d for member B
7) push policy again for good measure
8) cphastart member B
Anyone see any obvious flaws here?
you could perhaps use a vmware or something similar to validate your
scenario on a
demo architecture.
this could show some hints.
Regards
Mark
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
___________________________________________________________________________
Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire.
http://fr.mail.yahoo.com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
