VSX Routing Concepts

Routing Overview

The traffic routing features in VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. network topologies are analogous to those available for physical networks.

This section discusses several routing features and strategies as they apply to a VSX environment.

Routing Between Virtual Systems

Virtual Routers and Virtual Switches can be used to send traffic between networks located behind Virtual Systems, much in the same way as their physical counterparts.

The figure below shows an example of how Virtual Systems, connected to a Virtual Switch Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical switch. Acronym: VSW. and a physical VLAN switch, communicate with each other.

In this example, a host in VLAN 100 sends data to a server located in VLAN 200.

1. Traffic from the VLAN 100 host arrives at the VLAN switch, which inserts a VLAN tag and sends it to the VSX Gateway by way of a VLAN trunk.

2. Based on its VLAN tag, the VSX Gateway assigns the traffic to the Virtual System named VS1.

3. VS1 inspects the traffic according to its security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. and sends the traffic on to the Virtual Switch.

   Based on its routing configuration, VS1 sends the traffic to VS2 by way of the Virtual Switch.

4. VS2 inspects the traffic according to its security policy, inserts a VLAN tag, and sends it to back the VLAN switch.

5. The VLAN switch sends the traffic to the server located on VLAN 200.

Route Propagation

When a Virtual System is connected to a Virtual Router Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical router. Acronym: VR. or to a Virtual Switch, you can choose to propagate its routing information to adjacent Virtual Devices.

This feature enables network nodes located behind neighboring Virtual Systems to communicate without the need for manual configuration.

Route propagation works by automatically updating Virtual Device Logical object that emulates the functionality of a type of physical network object. Virtual Device can be on of these: Virtual Router, Virtual System, or Virtual Switch. routing tables with routes leading to the appropriate Virtual Systems.

Route Propagation using a Virtual Router

When Virtual Systems are connected to a Virtual Router, VSX propagates routes by automatically adding entries to the routing table contained in the Virtual Router.

Each entry contains a route pointing to the destination subnet using the Virtual System router-side Warp Interface (wrpj) as the next hop.

Route Propagation using a Virtual Switch

When Virtual Systems are connected to a Virtual Switch, VSX propagates routes by automatically adding entries to the routing table in each Virtual System.

Each entry contains a route pointing to the destination subnet using the Virtual System Warp Interface (wrp) IP address.

Overlapping IP Address Space

VSX facilitates connectivity when multiple network segments share the same IP address range (IP address space).

This scenario occurs when a single VSX Gateway protects several independent networks that assign IP addresses to endpoints from the same pool of IP addresses.

Thus, it is feasible that more than one endpoint in a VSX environment will have the identical IP address, provided that each is located behind different Virtual System.

Overlapping IP address space in VSX environments is possible because each Virtual System maintains its own unique state and routing tables.

These tables can contain identical entries, but within different, segregated contexts.

Virtual Systems use NAT to facilitate mapping internal IP addresses to one or more external IP addresses.

The below figure demonstrates how traffic passes from the Internet to an internal network with overlapping IP address ranges, using NAT at each Virtual System.

In this case, Network 1 and Network 2 share the same network address pool, which might result in identical overlapping IP addresses.

To prevent this, packets originating from or targeted to these networks are processed by their respective Virtual System using NAT to translate the original/overlapping addresses to unique routable addresses.

More for Virtual Switch Route Propagation

You are not required to manually define the topology, because this is done automatically.

But there are required manual steps in the VSX objects.

To update the topology map for each Virtual System after you enable route propagation:

1. For each Virtual System object that is connected to the Virtual Switch:

   1. Edit the object properties.

      Make sure Anti-Spoofing and VPN features are set correctly.

   2. Save the object.

2. Install the security policy for the affected Virtual Systems.

NAT

Virtual Systems support Network Address Translation (NAT), much in the same manner as a physical Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

When a Virtual System, using either Static or Hide NAT, connects to a Virtual Router, you must propagate the affected routes to the Virtual Router.

To do so, you need to first define NAT addresses for Virtual Systems connected to a Virtual Router.

Dynamic Routing

The Virtual Devices can communicate and distribute routes using dynamic routing.

Each Virtual Device has its own routing daemon.

Virtual Systems support:

• OSPF

• RIP

• BGP

• PIM

Virtual Routers support:

• OSPF