Manualshelf

Technical data

ManualsBrandsCheck Point Software Technologies ManualsNetworkingVSX-1 3070
21222324252627282930
VSX Architecture and Concepts
Check Point VSX Administration Guide NGX R67 | 29
Overlapping IP Address Space
VSX facilitates connectivity when multiple network segments share the same IP address range (IP address
space). This scenario occurs when a single VSX gateway protects several independent networks that
assign IP addresses to endpoints from the same pool of IP addresses. Thus, it is feasible that more than
one endpoint in a VSX environment will have the identical IP address, provided that each is located behind
different Virtual System.
Overlapping IP address space in VSX environments is possible because each Virtual System maintains its
own unique state and routing tables. These tables can contain identical entries, but within different,
segregated contexts. Virtual Systems use NAT to facilitate mapping internal IP addresses to one or more
external IP addresses.
The below figure demonstrates how traffic passes from the Internet to an internal network with overlapping
IP address ranges, using NAT at each Virtual System.
Figure 2-13 Example of overlapping IP addresses
In this case, Network 1, Network 2 Network 3, and Network 4 all share the same network address pool,
which might result in identical overlapping IP addresses. However, packets originating from or targeted to
these networks are processed by their respective Virtual System using NAT to translate the
original/overlapping addresses to unique routable addresses.
Additional Considerations for Virtual Switch Route Propagation
To update the topology map for each Virtual System, you still need to edit and save each Virtual System
object that is connected to the Virtual Switch after enabling route propagation. You do not, however, need to
manually define the topology, as this is done automatically.
Following the topology update, you must then re-install the security policy for the affected Virtual Systems.
This procedure is necessary in order to ensure that the Anti-Spoofing and VPN features work properly.
Source-Based Routing
Source-based routing allows you to define routing definitions that take precedence over ordinary,
destination-based, routing decisions. This allows you to route packets according to their source IP address
or a combination of their source IP address and destination IP address.
Source-based routing is useful in deployments where a single physical interface without VLAN tagging
connects several protected Domain networks. Each Virtual System is connected to an internal Virtual
Router. The Virtual Router routes traffic to the appropriate Virtual System based on the source IP address,
as defined in source-based routing rules.