Best practice to use Check Point VSX template circuits with group-interface in a DBHA environment

Article Id: 167780

Status: Published

Updated On: 13-05-2017 10:46

Legacy Id: TECH243714

Products:

XOS

Issue/Introduction:

Configuration steps to create a Check Point VSX template circuit, attach it to group-interface and add to VRRP configuration

Cause:

Configuration example of configuring a VSX template circuit that can be used by multiple Virtual Systems within Check Point GUI to create vlan tagged circuits, where those circuits are attached to a group interface.

Resolution:

As explained in article 3577. the base circuit used in group-interface assumes non-visible logical-all statement. So, in case of VSX it will be the template circuit that needs to be configured within mode multi-link circuit <circuit-name> statement in the group-interface context.
Also, in DBHA setup, the template circuits should be configured within VRRP section before pushing the configuration to the chassis via the Check Point GUI, otherwise the IP address will be assigned at the circuit level instead of the VRRP level.

Here are the best practice steps for using group-interface with VSX application:

1. Configure a VSX template circuit.
Here is an example to create the template circuit inside for vap-group vsx
configure circuit inside
device-name ins
vap-group vsx
     ip-forwarding

2. Configure the group interface:
Here is an example to create group interface mlt1 for interfaces 1/1 and 1/2
configure group-interface mlt1
   interface-type Ethernet
   mode multi-link circuit inside
   interface 1/1
   interface 1/2

3. Create a virtual-router vrrp-id for template circuit mlt1
Here is an example for creating vrrp-id 51 for circuit mlt1 defined above and assigning the priority delta of 10. We will assume VRRP failover-group fgvsx with failover-group-id 1 has already been created.
configure vrrp  failover-group fgvsx failover-group-id 1
   virtual-router vrrp-id 51 circuit inside
   priority-delta 10
   mac-usage vrrp-mac
   backup-stay-up
   vap-group vsx

4. Perform the steps 1-3 on the second chassis as well while ensuring to use the same vrrp-id.

5. Once the above configuration is completed, you may use the template circuit (interface ins in the example above) via Check Point management GUI to create vlan interfaces as needed and push the configuration to the chassis.