VRRP HA with 1 Public IP

[cmarcusson]

Is it possible to run VRRP with only 1 public IP. There seems to be little or no documentation covering this implemenatation. I beleive that the reason for that is because in order to publish a how-to on VRRP with 1 IP, you need to include switch configuration, and that exceeds the scope of the simplified VRRP setup docs. My colleges are convinced that it cannot be done due to the lack of documentation, but I still think it can.

You should just be able to address your Virtual Router with your Public IP, and then address the 2 physical external interfaces with anything like 1.1.1.1 or something. The Checkpoint Gateway Cluster Object should then be able to push the policy to all memebers on those private external interfaces??? Switch configuration would be another story, but should be possible right?

Can someone clarify this for me (any available diagrams would be greatly appreciated too.)

Thanks in advance for any advice,

Chad

Nokia 560's x 2 w/ NGX R65

[lammbo]

Not possible... Each external interface must have it's own unique public address in addition to the main IP shared by the cluster. Speak to your ISP to obtain a larger pool.

A /30 Net has 6 usable addresses and should work for you
A /29 Net will give you 14 usable addresses

When considering IP pool sizes, consider the following:
1 IP - Router (yours or ISP provided - MANDATORY)
1 IP - FW1 (Physical interface)
1 IP - FW2 (Physical interface)
1 IP - VRRP/HA/Cluster (Virtual interface)
1 IP - RADIUS (2 IPs if HA RADIUS)
1 IP - For each server (web, FTP, Email, etc.) that needs Static NAT IP

[mcnallym]

I believe that SPLAT/ClusterXL can do HA using a HA address outside the interface range, however that is NOT VRRP.

However I have not really looked at it too much as I need to be able to connect to the individual boxes across the Internet anyway.

[inetd]

Quote:

Originally Posted by lammbo

Not possible... Each external interface must have it's own unique public address in addition to the main IP shared by the cluster. Speak to your ISP to obtain a larger pool.

A /30 Net has 6 usable addresses and should work for you
A /29 Net will give you 14 usable addresses

When considering IP pool sizes, consider the following:
1 IP - Router (yours or ISP provided - MANDATORY)
1 IP - FW1 (Physical interface)
1 IP - FW2 (Physical interface)
1 IP - VRRP/HA/Cluster (Virtual interface)
1 IP - RADIUS (2 IPs if HA RADIUS)
1 IP - For each server (web, FTP, Email, etc.) that needs Static NAT IP

Please check your subnetting here. Regards

[manrag]

It is not possible using only 1 IP the minumum will be 2 IPs using VRRPv2.

[lammbo]

Quote:

Originally Posted by inetd

Please check your subnetting here. Regards

oops! sorry, should be /29 and /28 respectively...

[donshoutarp]

If you own the router...

You could have the router NAT.

A setup would be something like this

FW VIP 10.1.1.1
FW1 real IP 10.1.1.2
FW2 real IP 10.1.1.3

Router NAT Public IP to 10.1.1.1

It gets more complicated to to this if you have branch offices with the Checkpoint management server behind this firewall group, but could be possible.