Following my post on Check Point CCSA Exam notes, in this post I’m gonna write notes on CCSE exam. Though this time I won’t fall into configuration and try to only point out the more important and real-world-applicable things.
Management Server HA
- When adding a new Check Point host as a Secondary Management Server, do not Initialize SIC before selecting Network Policy Management feature!
- After adding the host, save and Install the policy; synchronization will then work.
As a reminder, whenever you reset the SIC for a Gateway from Management Server, it should be re-initialized from the Gateway by cpconfig; don’t forget to exit cpconfig!
Check Point calls its clustering solution ClusterXL which supports up to 8 Cluster members and can be implemented in two main flavors:
- Multicast mode: 50/50, very efficient and excellent performance
- Unicast mode: 70/30, to be used in environments where an intermediate device has issues with multicast MAC address (IGMP Snooping)
Expert@GAiA-2:0]# cphaprob state
Cluster Mode: Load Sharing (Unicast) with IGMP Membership
Number Unique Address Assigned Load State
1 192.168.0.101 30% Active (pivot)
2 (local) 192.168.0.102 70% Active
- High Availability (HA)
- New Mode: Each member has its own physical IP address
- Legacy Mode: Both members have the same physical IP address
To make kernel changes permanent, they should be written in $FWDIR/modules/fwkern.conf
Continue reading “Check Point CCSE Notes”
Some years ago I was consulting a project and there the team faced an issue with load-sharing the outbound traffic towards different eBGP neighbors from different ASs. They reached out to me and it took me some times to find the solution. Suddenly I was skimming through my documents and saw that, so I’m gonna share it here too.
When implementing BGP in a Cisco environment, you may want to load-share the outgoing traffic between multiple next-hops which you have. The first command which probably you are thinking of is
maximum-path 4 to use 4 different paths.
Yeah, that’s somehow true, but it requires the following attributes to match:
- local preference
- AS path
- origin code
- IGP metric.
And for sure, the next-hop address for each path must also be different in order for that path to be considered. (imagine when multi-homing to the same router)
The point here is that, the router should receive the routes from the same AS.
So, what if we wanna load-share between different eBGP neighbors from different ASs?
Now we are delighted with an undocumented (unsupported) Cisco command:
csr1000v(config-router)#bgp bestpath as-path multipath-relax
Process switching is the slowest of all switching methods. When switching a packet through the router, a Cisco IOS process copies the packet to the CPU memory and looks up the destination IP address in the IP routing table. Based on the outcome of this lookup, the process switches out the packet on a particular interface after it does some housekeeping on the IP header.
The first packet for a destination that arrives is process switched. The switching of the first packet by the central CPU gives the CPU the opportunity to build a cache. This cache is called the IP fast switching route cache and is used by the interrupt code to switch subsequent packets for the same destination.
If a prefix changes in the routing table, the entry in the fast switching cache is invalidated, and the first packet for a destination has to be process-switched again to build the new entry in the route cache.
Each IP prefix entry in the route cache has an outgoing interface, next hop, and Layer 2 rewrite field. This Layer 2 rewrite (or MAC rewrite) is the information that the router needs to change in the Layer 2 frame header when the frame is rebuilt so that it can be sent on the outgoing interface. Continue reading “MPLS Fundamentals: 4 – CEF”
In this post you’ll read some key points of GLBP and then I’ll invite you to test a sample implementation of GLBP.
GLBP means Gateway Load Balancing Protocol. What an easy definition 😀
It is a VGP (Virtual Gateway Protocol) / FHRP, similar to HSRP and VRRP. It’s one of the strongest kind of VGPs because it is capable of using multiple physical gateways at the same time.
This protocol attempts to overcome the limitations of existing redundant router protocols by adding basic load balancing functionality.
In addition to being able to set priorities on different gateway routers, GLBP allows a weighting parameter to be set. Based on this weighting (compared to others in the same virtual router group), ARP requests will be answered with MAC addresses pointing to different routers. Thus, load balancing is not based on traffic load, but rather on the number of hosts that will use each gateway router. By default GLBP load-balances in round-robin fashion.
GLBP elects one AVG (Active Virtual Gateway) for each group. Other group members act as backup in case of AVG failure. In case there are more than two members, the second best AVG is placed in the Standby state and all other members are placed in the Listening state. This is monitored using hello and holdtime timers, which are 3 and 10 seconds by default. The elected AVG then assigns a virtual MAC address for each member of the GLBP group, including itself, thus enabling AVFs (Active Virtual Forwarders). Each AVF assumes responsibility for forwarding packets sent to its virtual MAC address. There could be up to four active AVFs at the same time.
Continue reading “GLBP Overview”