VSX – Adding default route for DMI Interface

The VSX admin manual is pretty good, but one thing I hate is when manuals describe concept A in terms of concept B before they define what concept B is. R75.40 Page 14,

“You can choose to use a non-dedicated management interface by connecting a Virtual Router or Virtual Switch to the management interface.”

Oh that’s obvious – VRs and VSs are not even discuss and get this they never go back to discuss what this means.

Anyways in my labs I was stuck trying to figure out how to route the management interface out the external interface. VSX purposefully dead ends the interface so that it is strictly a management interface and should not be routed outside the VSX gateway. I need to do this for NTP/DNS  to my MDS and SmartCenters (and to surf porn and fantasy football…right).

So a couple things:

– Virtual Switches are used to merge multiple VSs into using 1 physical interface
– So VS1/2/3/4 all want to talk to the external physical interface eth0, you are required to share eth0 through a
virtual switch.
– “Warp” interfaces link the VS to the virtual switch and then the virtual switch links into the physical switch

Anyways what I had to do is create a link to the virtual switch for the VSX gateway.

I went into the topology for the VSX gateway and created a NEW interface to the Virtual Switch “HQClusterSwitch”. I put an address on the interface of the external physical interface that external systems see (172.17.1.222) for the VSX gateway.

I then added a default route to 172.17.1.2 the external router

This is the interface defs for the VSX gateway or ‘vsenv 0’. So for those not familiar with VSX, what happens in the internal routing table is a little different than standard Linux. A new WRP1 interface is created.  Notice it has an IP address of 192.168.196.2. Notice there is NO interface for 172.17.0.0.

 

 

BUT a route statement is inserted that points 172.17.0.0 TO the wrp1 interface.

Here above if you ‘vsenv 1’ which means change to the context of the Virtual Switch, you can see the other end of the warp interface wrpj1 and you can see the switch tied into the eth1 which is the external interface.

So my next question is “Where is the 172.17.0.0 interface????” More specifically where is 172.17.1.222 defined? .

Well I have some of the answer but not all. Seems there is some weird NAT going on. Check this out, an FW monitor of vsenv 0 the VSX gateway:

Notice how packets are entering VSX gateway going up the input stack as 172.17.1.222 but are then address translated to 192.168.1.2 which is the warp interface
of the VSX gateway!!! Cute huh?

So I went digging into the NAT table and nada, zilch, bust. Not there. But I know its somewhere!!!

The search goes on.

Adios amigos noche tarde,

dreez

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: