12-05-2020 07:16 PM
Hi everyone
This is probably a simple one so apologies in advance. I have a Check Point 5800 HA cluster in a Data Centre and following some work on a Cisco Nexus, looked at the ARP table and saw the following for my firewalls:
Internet 19.23.13.140 0 001c.7f81.0908 ARPA GigabitEthernet0/0/0 (CP VRRP)
Internet 19.23.13.141 0 001c.7f81.13a8 ARPA GigabitEthernet0/0/0 (CP 1 interface)
Internet 19.23.13.142 0 001c.7f81.0908 ARPA GigabitEthernet0/0/0 (CP 2 interface)
Can someone tell me why CP2 MAC address is the same as CP VRRP? I was thinking that CP2 is acting as the master but would appreciate if this could be confirmed.
Many thanks
12-06-2020 12:36 AM
yes, that is normal, what deployment is this Custer XL or Secure or what mode?
Do you see any issue, what is the nexus side config vPC?
12-06-2020 01:59 AM
Using the interface MAC for the cluster IP has the disadvantage that the ARP entry on all devices using this cluster IP as gateway has to be updated in case of a failover. Although the Check Point floods gratuitous ARP from the active node to update the tables on all connected devices, we have seen this not working on some older devices. These loose connectivity for routed traffic until they update their ARP table several minutes later.
(Newer) Check Point supports VMAC as a "shared" cluster MAC. This VMAC is moved to the active node IF similar as in HSRP or VRRP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide