cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1302
Views
1
Helpful
22
Replies

Firewall unable to learn mac address of vip of Cisco Nexus 7706

DJay11
Level 1
Level 1

Seek help on why the Firewall (Checkpoint) is unable to learn the vip interface of our Cisco Nexus 7706 vip. Both are connected under the same vlan. We have no problem with the physical interface of the Cisco Switch. As a work around, FW team configured the switch vip mac address statically. Is this a switch of Firewall issue? Another brand of FW in our organization encountered the same issue. 

 

DJay11_0-1706772926107.png

 

22 Replies 22

balaji.bandi
Hall of Fame
Hall of Fame

how is your configuration towards FW ? vPC

can you post sample config ? or e xample config like :

 

nterface port-channel22
  description *** Firewall ***
  switchport mode trunk
  switchport trunk allowed vlan 102
  no shutdown
  vpc22
 
interface Ethernet1/3-4
  switchport mode trunk
  switchport trunk allowed vlan 102
  channel-group 22 mode active
   no shutdown

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Here is the config from Cisco Nexus to FW interface. 

interface Ethernet1/3-4
description Link-InternalFW-1
switchport
switchport mode trunk
switchport trunk allowed vlan 102,103,257,323-326,444-445,448,502
mtu 9216
channel-group 534 mode active
no shutdown

port-channel 534 in vPC ?

how is FW side config ?

since you are using HSRP -  (hope other vlan working as expected ?)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Friend I see you config vPC

And I assume vlan 102 is vpc vlan (allow in vpc peer-link)

So you need to use hsrp 

And FW will know vMAC of HSRP not mac of nexus SW.

MHM

Yes, HSRP is configured on the Cisco Switch. 

Ping from FW to VIP of HSRP

Did you get reply 

If yes check then mac address in FW

Also how you config two link between FW to NSK's ?

MHM

Ping test from FW to Switch via vip is intermittent. It will just stabilize if they will configure the switch vip mac address on the FW manually or they will use the physical interface of the switch. Problem only using the switch vip. 

This is a sample of our int vlan configuration 
interface Vlan132
description BAU
no shutdown
no ip redirects
ip address 172.25.142.254/24
no ipv6 redirects
ip router ospf 1 area 0.0.0.0
hsrp version 2
hsrp 142
preempt
priority 110
ip 172.25.142.1

channel-group 534 <- can I see how you config the port channel 534 ?

MHM

 

Here. Just disregard the vlan allowed as vlan 102 is just a sample vlan. 

interface port-channel534
description CP16200-INTERNAL_FW
switchport
switchport mode trunk
switchport trunk allowed vlan 103,257,323-326,444-445,448,502
mtu 9216
lacp max-bundle 16
vpc 534

the 102 vlan is missing in config of port-channel 
add it and check below photo 
thanks 
MHM

Vlan 102 is just a "mock" vlan. Correct vlan ID has been configured in the port channel to allow access. Main problem is the vip of the switch svi.  

the two link between FW and SW are config as L2 PO ""FROM FW SIDE""?
MHM

Correct. Layer 2 between FW and SW. 

Review Cisco Networking for a $25 gift card