How to configure VRRP for Virtual Systems without a regular interface

book

Article ID: 168052

calendar_today

Updated On:

Products

XOS

Issue/Introduction

This article provides a method to instruct XOS to create VRRP context for Warp links even if the Virtual System doesn't connect directly to the external network via a regular interface.For some Virtual Systems, IP addresses on Warp links are created in the circuit context instead of VRRP context. These Virtual Systems have no regular interface in a Check Point Topology; only Warp links to other Virtual Devices.

Cause

In a VSX DBHA environment, when configuring a Virtual System connected only to other Virtual Devices, XOS doesn't configure VRRP for the Warp links. The attached network diagram shows an example topology.

The Virtual System VS2 in the example has interfaces leading only to Virtual Switches (Warp links). There are no regular interfaces configured in the Topology tab of this Virtual System.

When you push configuration of such a Virtual System to the gateways, XOS doesn't find any existing (regular) circuits with VRRP attached to this Virtual System. Therefore, it puts IP addresses of the Warp links under the circuit context. This is an undesired result for a VRRP/DBHA setup.

Resolution

In order to create VRRP for the Warp links, a regular interface must exist. To maintain the topology, you can create a "dummy" circuit that will act as a regular interface:

Define an internal "loopback" circuit together with a VRRP virtual router at the XOS level.
Add this circuit as a regular interface in the Virtual System topology (with a unique IP address/netmask).

Here is an example XOS 8.x configuration of a loopback circuit with a VRRP template:

circuit Loc1

internal

device-name Loc1

vap-group vsx

vrrp failover-group vsx_fg failover-group-id 1

...

virtual-router vrrp-id 11 circuit Loc1

priority-delta 10

mac-usage vrrp-mac

vap-group vsx

At this point, when XOS configures circuits for the Warp links and checks whether VRRP is configured on any circuit attached to this Virtual System, it finds the loopback circuit and configures VRRP for the Warp circuits too.

Since XOS 9.5, the link-state-resistant command replaces the internal command to

keep a circuit in an Up state regardless of the state of the physical interface to which it is assigned.

Workaround

N/A

Attachments

Feedback

thumb_up Yes

thumb_down No