Checkpoint Cluster inside to PA5060 Internet Border pathway

Reply
L0 Member

Checkpoint Cluster inside to PA5060 Internet Border pathway

Anyone with experience with this, please make comments:

Will the 5060 will forward traffic with a multicast destination MAC address and unicast IP address?

The traffic from the Checkpoints to the Internet VRF should be unicast MAC addresses, but the traffic from the Internet VRF to the Checkpoints will be using a MAC address  which is a group/multicast MAC address.  This is a requirement of the load sharing cluster on the Checkpoint.   The easiest way to put the PAN inline is to do layer-2 between the Checkpoints and the PAN.  Basically we’d move the interface on the Internet VRF to a new VLAN and use the PAN to bridge it to the new VLAN. 

We would certainly like to hear from anyone who has put a PAN upstream of their enterprise Checkpoint cluster and how it worked out.

Thanks.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!