VRRP - Advanced Questions

[bornamonday]

Hello,

Is it possible to have the VIP of the firewall and the physical IP addresses of the firewall in different networks with Nokia VRRP?

sample:
VIP: 192.168.1.1 / 30
RT1: 192.168.1.5 / 30
RT2: 192.168.1.6 / 30

why I am asking this is because I don't want to change the current network IP addresses connecting the firewall to router with netmask /30 which means I don't have an additional free IP for the 2nd firewall when migration to Nokia VRRP cluster. and the whole picture of the scenario is to avoid IP change on router.

Thanks for your help!!!

BAM.

[olasoji]

Yes. It is possible to have the physical IP addresses in a different subnet from the VIP. Checkpoint is able to map the virtual cluster Ip address to the member interface addresses.

In the Cluster object, just specify the network that the members reside on and that is it. This would be the member network.

If this solves your problem please do let me know

[bornamonday]

ok and thanks, I will give a shot anyway and let you know. But I have noticed that on the Nokia side, if the VIP is not on the same network as both physical IP addresses, both physical network interfaces wont advertised their physical mac addresses to the switch when issuing "show mac address-table" as well as the Virtual MAC of the VIP wont appear on the switch as well. So nothing shows up on the switch no mac addresses of both physical IP and VMAC as well. it should not work.

if you could NOT see the mac addresses of both physical addresses as well as the VMAC of the VIP. I dont see how CP could ease the problem.

Please put your comments.

Thanks.
BAM.