PDA

View Full Version : Hi all new to VSX help!!!



sebastan_bach
2009-04-22, 06:13
Hi all i am new to VSX. but i am familiar with virtual firewalls on cisco and juniper.

i am not able to figure out the concept of virtual routers and virtual switch.

IF i am having a vsx deployment with 3 virtual systems using a single physical interface as the external interface. and vlans on the internal interface for seperate customers.

here in this case the ip address of the virtual systems on the external interfaces all will be in same subnet since they are sharing the physical interface which connects to the internet router.

In this case do i need to use virtual router or virtual switch.

Can someone please tell me when to use these virtual devices and how to use them.

as per my understanding I would need to use a virtual switch to let the virtual systems to share the physical interface.

cause in cisco and juniper one does not need virtual router or switches for the same setup.

Can someone please throw some light on this. I read the documentation but found it little confusing.

Regards

Sebastan

Petroman
2009-04-22, 16:23
IF i am having a vsx deployment with 3 virtual systems using a single physical interface as the external interface. and vlans on the internal interface for seperate customers.

here in this case the ip address of the virtual systems on the external interfaces all will be in same subnet since they are sharing the physical interface which connects to the internet router.



If more than virtual system (firewall) needs a connection/interface to the same subnet, a virtual switch is the correct one.
Sounds like this is the case with your external connection.

(however, it is possible to move some of the routing from the (external) internet router and into VSX using a virtual router. Depends on where you have or not have or wish to have control of your routing, a network design issue)

Create the virtual switch. You can only set a name for it and select the physical interface (+ vlan ID if the physical interface is a trunk) it should have. Nothing more to do there.

Then from the Virtual System, select "Add inteface -> Leading to virtual switch". In that dialog, select the virtual switch you need, and set the IP etc as usual.

Then do the same on the other virtual systems.

It is required that the network and netmask of all the connections into the same virtual switch is the same, otherwise arp/layer 2 problems may happen. This is however not verified by the system it seems.

The general rule in VSX is:
- VSes cannot be connected to each other directly. Must go via virt. switch or virt. router.
- Only ONE instance of the same interface.vlan combination can exist in the VSX (this is verified by the GUI when you make interface)
- Use virtual switch if you need to have more than one VS connecting to the same interface.vlan (same layer 2 network)
- Use virtual router where you would normally use a router in a physical normal design. VSes can connect directly to it.

There is also a limit of 64 interfaces (internal or not) for each virtual unit.


Some find it easy to grasp if they draw a layer 3 (IP/routing) based drawing of things they wish to have in the VSX.
Often people draw such a diagram with rectangles (boxes) for the firewalls, circles for the routers and just lines between them describing the interface/connections.
In VSX it translates to:
Firewall = VS
Router = VR
Lines = Interfaces, replace with virtual switch if more than one VS connects to the same line.



net 1 net 2
| |
| |
| 192.168.5.1 | 192.168.1.1
--------- ------------
| FW 1 | | FW 2 |
| | | |
---------- ------------
| 10.1.1.1 | 10.1.1.2
| |
---------------------------
|
|
net 3




Here FW 1 and FW 2 can be defined as VSes in the VSX.

"Net 1" can be defined directly as an inteface in FW 1, since it is the single connection to/from Net 1 in the whole VSX.

"Net 2" can be defined directly as an inteface in FW 2 also.

"Net 3" needs to be defined as a virtual switch since two (or more) VSes need access to it.


Hope this clears up a bit.

- Petter

fireverse
2009-04-23, 02:50
Petroman did a great job explaining this. In your case if the external interface of the VSs are all in the same subnet, then you would use a virtual switch (as he said). This is a very common configuration.

sebastan_bach
2009-04-23, 03:54
Hi petroman,

thanks for the detailed explaination man.

thanks for clearing my doubt.

I was basically confused that why would be need a virtual switch and virtual router which u helped me in understanding pretty well.

cause in cisco and juniper there is no virtual switch concept for sharing the interface among virtual systems.

few more doubts about routing traffic between virtual systems when sharing the external interface using vritual switch.

1) if i am sharing the external interface between the virtual systems using virtual switch then for forwarding traffic between virtual systems which of these are valid options.

a) set the next-hop for traffic to other virtual system pointing to the external router who will route it to the virtual system.

b) set the next-hop for traffic for other virtual system pointing directly to the external interface of the other virtual system since they are on the same subnet connected by the virtual switch.

c) will i have to use a virtual router for routing the traffic between the virtual systems sharing the same external interface.

In cisco and Juniper routing traffic between the virtual systems can be directly over the shared external interface without routing the traffic to a external router.

Please help me out in understanding these silly doubts.

Thanks

Regards

Sebastan

bwatts
2010-10-19, 14:49
Are there 3 IP addresses involved with the virtual switch, 2 real interfaces with IP addresses and one virtual like HSRP in the Cisco world?

Petroman
2010-11-01, 08:36
Are there 3 IP addresses involved with the virtual switch, 2 real interfaces with IP addresses and one virtual like HSRP in the Cisco world?

No.

VSX only operates with real (cluster/traffic) IPs in the configuration, there are no "physical" IPs per cluster member as in HSRP/VRRP.

(well, on SPLAT actually there is, but it is automagic from the "internal cluster network", in some documents called "funny IPs", you specify on the physical cluster object, and this is not visible in any regular configuration commands, also those internal IPs are reused on each virtual firewall as they are always on separate layer 2. But you may see them in tcpdump as they are used on the Cluster XL 8116 probe packets. On other platforms, for example Crossbeam, which handles clustering completely different, there are no other IPs except the ones used for the traffic itself)

In case of the virtual switch, it has no IPs since it is a layer 2 bridge from the external interface to the warp interfaces (up to 63 I think)
The IPs are defined on the internal warp interface from the virtual firewalls into the switch (IP is defined on the firewall side of the interface).

So my drawing in the earlier post show all IP addresses neccesary, there are no hidden ones.

You make a switch, tells it which physical interface (and possibly vlan) it has, it can only have one interface going out of the box.

Then you make a wrp interface (with IP) from the virtual firewall to the switch.
All of this is done via the Dashboard. (VS object -> Topology -> new interface -> leading to...) after the switch has been made.

I guess Check Point could have made this virtual-switch thing (same layer 2 into several VSes) transparent to the user, but they did not, probably caused by some earlier design that was not easy to change.

Would suggest that people new to VSX do a lab on it, since it is much easier to grasp than just reading the docs. Then try to design stuff into it and see what it accepts, what works, and how it looks on the modules.
The usual 15 day after install eval also applies for VSX so it is easy to test.
The VSX SPLAT images also works fine (for lab use) in VMware (workstation or ESX[i]) for those familiar with managing lots of interfaces in vmware.


- Petter