Check Point CCSE Notes

Following my post on Check Point CCSA Exam notes, in this post I’m gonna write notes on CCSE exam. Though this time I won’t fall into configuration and try to only point out the more important and real-world-applicable things.

Management Server HA

  • When adding a new Check Point host as a Secondary Management Server, do not Initialize SIC before selecting Network Policy Management feature!
  • After adding the host, save and Install the policy; synchronization will then work.

As a reminder, whenever you reset the SIC for a Gateway from Management Server, it should be re-initialized from the Gateway by cpconfig; don’t forget to exit cpconfig!

ClusterXL

Check Point calls its clustering solution ClusterXL which supports up to 8 Cluster members and can be implemented in two main flavors:

  1. Load-sharing
    • Multicast mode: 50/50, very efficient and excellent performance
    • Unicast mode: 70/30, to be used in environments where an intermediate device has issues with multicast MAC address (IGMP Snooping)
  2. High Availability (HA)
    • New Mode: Each member has its own physical IP address
    • Legacy Mode: Both members have the same physical IP address

To make kernel changes permanent, they should be written in $FWDIR/modules/fwkern.conf

Continue reading “Check Point CCSE Notes”

Share this!

BGP Multipath load-sharing in Cisco!

Some years ago I was consulting a project and there the team faced an issue with load-sharing the outbound traffic towards different eBGP neighbors from different ASs. They reached out to me and it took me some times to find the solution. Suddenly I was skimming through my documents and saw that, so I’m gonna share it here too.

When implementing BGP in a Cisco environment, you may want to load-share the outgoing traffic between multiple next-hops which you have. The first command which probably you are thinking of is maximum-path 4  to use 4 different paths.

Yeah, that’s somehow true, but it requires the following attributes to match:

  • weight
  • local preference
  • AS path
  • origin code
  • MED,
  • IGP metric.

And for sure, the next-hop address for each path must also be different in order for that path to be considered. (imagine when multi-homing to the same router)

The point here is that, the router should receive the routes from the same AS.

So, what if we wanna load-share between different eBGP neighbors from different ASs?

Now we are delighted with an undocumented (unsupported) Cisco command:

csr1000v(config-router)#bgp bestpath as-path multipath-relax
Share this!

MPLS Fundamentals: 4 – CEF

Process Switching

Process switching is the slowest of all switching methods. When switching a packet through the router, a Cisco IOS process copies  the packet to the CPU memory and looks up the destination IP address in the IP routing table. Based on the outcome of this lookup,  the process switches out the packet on a particular interface after it does some housekeeping on the IP header.

Fast Switching

The first packet for a destination that arrives is process switched. The switching of the first packet by the central CPU gives the CPU  the opportunity to build a cache. This cache is called the IP fast switching route cache and is used by the interrupt code to switch  subsequent packets for the same destination.

If a prefix changes in the routing table, the entry in the fast switching cache is invalidated, and the first packet for a destination has  to be process-switched again to build the new entry in the route cache.

Each IP prefix entry in the route cache has an outgoing interface, next hop, and Layer 2 rewrite field. This Layer 2 rewrite (or MAC  rewrite) is the information that the router needs to change in the Layer 2 frame header when the frame is rebuilt so that it can be  sent on the outgoing interface. Continue reading “MPLS Fundamentals: 4 – CEF”

Share this!