Best practice to use Check Point VSX template circuits with group-interface in a DBHA environment
Article ID: 167780
Updated On:
Products
XOS
Issue/Introduction
Configuration steps to create a Check Point VSX template circuit, attach it to group-interface and add to VRRP configuration
Cause
Configuration example of configuring a VSX template circuit that can be used by multiple Virtual Systems within Check Point GUI to create vlan tagged circuits, where those circuits are attached to a group interface.
Resolution
As explained in article 3577. the base circuit used in group-interface assumes non-visible logical-all statement. So, in case of VSX it will be the template circuit that needs to be configured within mode multi-link circuit <circuit-name> statement in the group-interface context.
Also, in DBHA setup, the template circuits should be configured within VRRP section before pushing the configuration to the chassis via the Check Point GUI, otherwise the IP address will be assigned at the circuit level instead of the VRRP level.
Here are the best practice steps for using group-interface with VSX application:
1. Configure a VSX template circuit.
Here is an example to create the template circuit inside for vap-group vsx
configure circuit inside
device-name ins
vap-group vsx
ip-forwarding
2. Configure the group interface:
Here is an example to create group interface mlt1 for interfaces 1/1 and 1/2
configure group-interface mlt1
interface-type Ethernet
mode multi-link circuit inside
interface 1/1
interface 1/2
3. Create a virtual-router vrrp-id for template circuit mlt1
Here is an example for creating vrrp-id 51 for circuit mlt1 defined above and assigning the priority delta of 10. We will assume VRRP failover-group fgvsx with failover-group-id 1 has already been created.
configure vrrp failover-group fgvsx failover-group-id 1
virtual-router vrrp-id 51 circuit inside
priority-delta 10
mac-usage vrrp-mac
backup-stay-up
vap-group vsx
4. Perform the steps 1-3 on the second chassis as well while ensuring to use the same vrrp-id.
5. Once the above configuration is completed, you may use the template circuit (interface ins in the example above) via Check Point management GUI to create vlan interfaces as needed and push the configuration to the chassis.
Also, in DBHA setup, the template circuits should be configured within VRRP section before pushing the configuration to the chassis via the Check Point GUI, otherwise the IP address will be assigned at the circuit level instead of the VRRP level.
Here are the best practice steps for using group-interface with VSX application:
1. Configure a VSX template circuit.
Here is an example to create the template circuit inside for vap-group vsx
configure circuit inside
device-name ins
vap-group vsx
ip-forwarding
2. Configure the group interface:
Here is an example to create group interface mlt1 for interfaces 1/1 and 1/2
configure group-interface mlt1
interface-type Ethernet
mode multi-link circuit inside
interface 1/1
interface 1/2
3. Create a virtual-router vrrp-id for template circuit mlt1
Here is an example for creating vrrp-id 51 for circuit mlt1 defined above and assigning the priority delta of 10. We will assume VRRP failover-group fgvsx with failover-group-id 1 has already been created.
configure vrrp failover-group fgvsx failover-group-id 1
virtual-router vrrp-id 51 circuit inside
priority-delta 10
mac-usage vrrp-mac
backup-stay-up
vap-group vsx
4. Perform the steps 1-3 on the second chassis as well while ensuring to use the same vrrp-id.
5. Once the above configuration is completed, you may use the template circuit (interface ins in the example above) via Check Point management GUI to create vlan interfaces as needed and push the configuration to the chassis.
Feedback
Powered by
