PO VSX Course 2 Networking

VSX R75.
40VS
Networking
[Restricted] ONLY for designated groups and individuals 2012 Check Point Software Technologies Ltd.
Course Timetables
Day 1 Day 2 Day 3
9:00 Course Introduction VSX Clustering VSX Conversion
10:00 RC & QoS

vsx_utill
R75.40VS VSX Gaia VS CTX & New Features
11:00
Introduction (Conversion, SNMP, JF)
12:00 Mgmt. Implementation L2 VS
13:00 Lunch Break
14:00
VSX Networking GW Implementation
15:00
Meeting with Check Point
R&D
16:00
VSX CoreXL Affinity &
Debug & Troubleshooting
Memory RC
17:00
[Restricted] ONLY for designated groups and individuals 2012 Check Point Software Technologies Ltd. 2
VSX features
Overlapping IP space support

Inter-VS Routing
Unnumbered Interfaces
Routes Propagation
NAT in VSX
Source-Based Routing
Overlapping IP space support
Internet
Each Virtual Device Provides end
to end separation of Network and
Security Infrastructure.
VSX supports protected networks

with overlapping IP spaces.
MPLS Core
VSX facilitates connectivity of
overlapping IP spaces.
Customer D
10.10.10.0/24
Customer A Customer C
Customer B 10.10.10.0/24
10.10.10.0/24
10.10.10.0/24
Inter-VS Routing
802.1q
Application Servers
Virtual Switch
802.1q
Database Servers
Virtual Router
Web Servers
Both Web and Application Servers require services from
the Database servers.
Each service requires different security handling.
Each VS handles the specific security requirements of the segment.
Virtual Switches and Routers facilitate inter VS connectivity.
Unnumbered interfaces
Unnumbered interfaces In order to reduce the number of IPs used

in a VSX configuration, a Virtual System, when connected to a Virtual
Router, can use the same IP for multiple interfaces.
The external VS interfaces IP

acts as a next hop for the VR
Warp Links
P-T-P 192.168.1.1 172.169.1.1 192.150.2.1 200.128.4.1
connections
Reducing the systems
overall IP addresses
192.168.1.1 172.169.1.1 192.150.2.1 200.128.4.1
Internal Interface
Unnumbered interfaces borrow an IP
address from one of the VSs interfaces
Unnumbered interfaces limitations
Limitations when configuring an interface as

unnumbered:
The interface must be connected to a Virtual Router.
In order to use VPN or NAT hide behind interface

address, the borrowed address must be routable.
Only warp interfaces which leads to a VR (Not VSW)

can borrow IP Address
Routes Propagation
NOT Dynamic Routing
Routes can be propagated to

adjacent Virtual Devices.
update Virtual Devices routing Virtual Router
tables withy minimal effort.
Virtual Switch
Requires the VS to be
connected to VR or VSW
Propagating routes to Virtual Router
If a Virtual System is connected to a Virtual Router, the routes

are propagated from the VS to the VR in the following way:
Route on the VS: Propagated route on the VR:
Destination: SUBNET Destination: SUBNET
Next Hop: GW Next Hop: wrpj interface

connecting VR to the VS
Propagating routes through Virtual Switch
If several Virtual Systems are connected to a Virtual Switch, the routes

are propagated from one VS to the other VSs in the following way:
Original route on the VS: Propagated route on other VSs:
Destination: SUBNET Destination: SUBNET
Next Hop: GW Next Hop: IP of wrp interface

connecting the propagator
VS to the VSW.
Routes Propagation
Simple & Easy configuration through the Interface properties of the VS
Propagating manual route
Propagating automatic route
Network Address Translation in VSX
Virtual Systems support

NAT
Hide
Static
Virtual Router
Some configuration
required when
connected to VR
NATed addresses ranges should be defined on a Virtual System in

the Topology page > NAT Addresses... dialog.
The ranges are converted to routes and automatically propagated.
Virtual System
connected to a Virtual
Switch.
4.0.0.1
192.168.8.1
192.168.8.9
Same behavior as Virtual Switch

regular interfaces 4.0.0.2
192.168.8.1
4.0.0.9
192.168.8.9
4.0.0.9 192.168.8.9
Source-Based Routing:
VSX includes advanced routing capabilities (policy

based routing), which enable the definition of source-
based routing rules on Virtual Routers.
Advanced routing enables routing according to

source IP address or a combination of source and
destination IP addresses.
Advanced routing rules take precedence over

ordinary routing decisions (both static and dynamic).
Useful in cases where no Internet
VLAN tagging is used. 192.168.35.1
EVR
192.168.35.4 192.168.1.1 192.168.1.3

192.168.1.2
Each VS is connected to VS1 VS2 VS3
Internal Virtual Router. VSX

Gateway
192.168.1.2
192.168.1.1 192.168.1.3
IVR
192.168.50.4
192.168.50.1
VR forwarding routing
based on source IP Source-Based
Routing
address.
10.50.50.2/24
10.1.1.2/24
10.100.100.2/24
Deployment scenarios
Inter-VS connectivity, without an external connection.

Source-based routing with Virtual Switches.
Allowing Customer to manage its security.
Non DMI Replacement.
Inter-VS connectivity, without an external
connection
Interconnect Virtual
Systems
No shared interface
Only allowed with VSW
Virtual Switch
Source-based routing with Virtual Switches
Another way of using a single Internet

physical interface without VLAN
tagging to connect to several
protected networks is by
connecting Virtual Systems 192.168.35.4 192.168.35.1
192.168.35.2
192.168.35.3
using a Virtual Switch.

VS1 VS2 VS3
VSX
Gateway
192.168.50.2
192.168.50.1 192.168.50.3
Source-based routing should be

performed by external Router.
192.168.50.4
Source-Based
Routing
The Router uses source-based

routing to forward traffic to the
relevant Virtual System based
on source IP address. 10.50.50.2/24
10.1.1.2/24
10.100.100.2/24
Allowing Customer to manage its security #1
MSP Model. Internet
Customers want to
manage their own
security policy.
VSX Management
interface
Configure routing on the Management P-1

VS, VSX and on the
management.
VS
Virtual Switch
Set Policy to allow CPMI

and FW connections. SmartDashboard
Allowing Customer to manage its security #2
Another solution to the Internet

same problem
The VSW is directly

connected to the mgmt VSX Management
network. interface
Configure routing on the Management P-1
VS and the management VS

Virtual Switch
server.
Policy changes are

SmartDashboard
required only on the VS.

.
Non DMI Replacement
Internet Internet
Management + External External Interface Management

interface interface
VSX VSX
Non Dedicated Management Interface Dedicated Management Interface
Check Point recommends no to use Non-DMI

deployments
Above is a more elegant solution for this need.
Thank you !
Please proceed to lab 2,3
[Restricted] ONLY for designated groups and individuals 2012 Check Point Software Technologies Ltd.

PO VSX Course 2 Networking

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PO VSX Course 2 Networking

Uploaded by

Copyright:

Available Formats

VSX R75.

Day 1 Day 2 Day 3

9:00 Course Introduction VSX Clustering VSX Conversion

10:00 RC & QoS

13:00 Lunch Break

Overlapping IP space support

VSX supports protected networks

Unnumbered interfaces In order to reduce the number of IPs used

The external VS interfaces IP

Limitations when configuring an interface as

The interface must be connected to a Virtual Router.

In order to use VPN or NAT hide behind interface

Only warp interfaces which leads to a VR (Not VSW)

NOT Dynamic Routing

Routes can be propagated to

update Virtual Devices routing Virtual Router

tables withy minimal effort.

If a Virtual System is connected to a Virtual Router, the routes

Route on the VS: Propagated route on the VR:

Destination: SUBNET Destination: SUBNET

Next Hop: GW Next Hop: wrpj interface

If several Virtual Systems are connected to a Virtual Switch, the routes

Original route on the VS: Propagated route on other VSs:

Destination: SUBNET Destination: SUBNET

Next Hop: GW Next Hop: IP of wrp interface

Simple & Easy configuration through the Interface properties of the VS

Propagating manual route

Propagating automatic route

Virtual Systems support

NATed addresses ranges should be defined on a Virtual System in

The ranges are converted to routes and automatically propagated.

Same behavior as Virtual Switch

VSX includes advanced routing capabilities (policy

Advanced routing enables routing according to

Advanced routing rules take precedence over

Useful in cases where no Internet

VLAN tagging is used. 192.168.35.1

192.168.35.4 192.168.1.1 192.168.1.3

Each VS is connected to VS1 VS2 VS3

Internal Virtual Router. VSX

Inter-VS connectivity, without an external connection.

Another way of using a single Internet

using a Virtual Switch.

Source-based routing should be

The Router uses source-based

MSP Model. Internet

Configure routing on the Management P-1

Set Policy to allow CPMI

Another solution to the Internet

The VSW is directly

Configure routing on the Management P-1

VS and the management VS

Policy changes are

required only on the VS.

Management + External External Interface Management

Non Dedicated Management Interface Dedicated Management Interface

Check Point recommends no to use Non-DMI

You might also like