Working on Checkpoint Cluster XL Load Sharing configuration, and found one blog post from Technopath LLC regarding Cisco switch configuration. It should be helpful for my next step.

The topology like this:

capture2.png?resize=467%2C640capture2.png?resize=467%2C640

  1. Configure the following command on the internal router (usually it is layer 3 switch and 0100.5e16.0de2 is Internal Checkpoint VIP Multicast Mac Address):
  •  arp 192.168.20.2 0100.5e16.0de2 arpa  
Configure the following commands on the internal switch where the port numbers shown below are the port numbers to which your firewall interfaces are connected:
  • mac address-table static 0100.5e16.0de2 vlan 10 interface gi1/0/2 gi1/0/3 gi1/0/4
  • no ip igmp snooping vlan 10
The multicast mac address of the firewall cluster’s internal VIP (shown above in the commands) is obtained by looking at the topology information of the cluster in the SmartDashboard and clicking on the edit option for the cluster IP and then clicking on the advanced button. That should show you the mulitcast MAC address. Checkpoint has an sk technote which shows a different way of getting the MAC address using the cphaconf debug_data command on the command line. This DOES NOT work as it gives you the wrong MAC address. The same configuration commands (with the correct IP and MAC for the external cluster) are performed on the external router pointing to the external VIP (0100.5e16.0de3 is Checkpoint External VIP Multicast Mac Address):
  •  arp 192.168.15.2 0100.5e16.0de3 arpa
And the same configuration command on the external switch:
  • mac address-table static 0100.5e16.0de3 vlan 20 interface gi1/0/5 gi1/0/6 gi1/0/7
  • no ip igmp snooping vlan 20