Check Point firewall entries in Cisco ARP table

BHconsultants88 · ‎12-05-2020

Hi everyone

This is probably a simple one so apologies in advance. I have a Check Point 5800 HA cluster in a Data Centre and following some work on a Cisco Nexus, looked at the ARP table and saw the following for my firewalls:

Internet 19.23.13.140 0 001c.7f81.0908 ARPA GigabitEthernet0/0/0 (CP VRRP)
Internet 19.23.13.141 0 001c.7f81.13a8 ARPA GigabitEthernet0/0/0 (CP 1 interface)
Internet 19.23.13.142 0 001c.7f81.0908 ARPA GigabitEthernet0/0/0 (CP 2 interface)

Can someone tell me why CP2 MAC address is the same as CP VRRP? I was thinking that CP2 is acting as the master but would appreciate if this could be confirmed.

Many thanks

balaji.bandi · ‎12-06-2020

yes, that is normal, what deployment is this Custer XL or Secure or what mode?

Do you see any issue, what is the nexus side config vPC?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kka · ‎12-06-2020

Using the interface MAC for the cluster IP has the disadvantage that the ARP entry on all devices using this cluster IP as gateway has to be updated in case of a failover. Although the Check Point floods gratuitous ARP from the active node to update the tables on all connected devices, we have seen this not working on some older devices. These loose connectivity for routed traffic until they update their ARP table several minutes later.

(Newer) Check Point supports VMAC as a "shared" cluster MAC. This VMAC is moved to the active node IF similar as in HSRP or VRRP.