Hardware Requirements, Compatibility and Cisco Example

Included Topics

Example Configuration of a Cisco Catalyst Routing Switch

ClusterXL Hardware Requirements

The Cluster is usually located in an environment having other networking devices such as switches and routers. These devices and the Security Gateways must interact to assure network connectivity. This section outlines the requirements imposed by ClusterXL on surrounding networking equipment.

HA New and Load Sharing Unicast Modes

Multicast mode is the default Cluster Control Protocol (CCP) mode in High Availability New Mode and Load Sharing Unicast Mode (and also Load Sharing Multicast Mode).

When using CCP in multicast mode, configure the following settings on the switch.

Switch Setting	Explanation
IGMP and Static CAMs	IGMP registration (also known as IGMP Snooping) is enabled by default. You can disable IGMP registration. In scenarios where disabling IGMP registration is problematic, you can configure static CAMs to allow multicast traffic on specified ports.
Disabling multicast limits	Certain switches have an upper limit on the number of broadcasts and multicasts that they can pass, in order to prevent broadcast storms. This limit is usually a percentage of the total interface bandwidth. It is possible to either turn off broadcast storm control, or to allow a higher level of broadcasts or multicasts through the switch. If the connecting switch is incapable of having any of these settings configured, it is possible, though less efficient, for the switch to use broadcast to forward traffic, and to configure the cluster members to use broadcast CCP.

Switch Setting

Explanation

IGMP and Static CAMs

IGMP registration (also known as IGMP Snooping) is enabled by default. You can disable IGMP registration. In scenarios where disabling IGMP registration is problematic, you can configure static CAMs to allow multicast traffic on specified ports.

Disabling multicast limits

Certain switches have an upper limit on the number of broadcasts and multicasts that they can pass, in order to prevent broadcast storms. This limit is usually a percentage of the total interface bandwidth.

It is possible to either turn off broadcast storm control, or to allow a higher level of broadcasts or multicasts through the switch.

If the connecting switch is incapable of having any of these settings configured, it is possible, though less efficient, for the switch to use broadcast to forward traffic, and to configure the cluster members to use broadcast CCP.

Configure the following settings on the router:

Router Setting	Explanation
Unicast MAC	When working in High Availability Legacy mode, High Availability New mode and Load Sharing Unicast mode, the Cluster IP address is mapped to a regular MAC address, which is the MAC address of the active member. The router needs to be able to learn this MAC through regular ARP messages.

VMAC Mode

When ClusterXL is configured in HA mode or Load Sharing unicast mode (not multicast) a single cluster member is associated with the Cluster Virtual IP address. In a High Availability environment, the single member is the active member. In a Load Sharing environment, the single member is the pivot.

After fail-over, the new active member (or pivot member) broadcasts a series of Gratuitous ARP Requests (G-ARPs). The G-ARPS associate the Virtual IP address of the cluster with the physical MAC address of the new active member or the new pivot. When this happens:

A member with a large number of Static NAT entries can transmit too many GARPS
Switches may not integrate these GARP updates quickly enough into their ARP tables. Switches continue to send traffic to the physical MAC address of the member that failed. This results in traffic outage until the switches have fully updated ARP cache tables.
Network components, such as VoIP phones, ignore GARPs
These components continue to send traffic to the MAC address of the failed member.

To minimize possible traffic outage during a fail-over, configure the cluster to use a virtual MAC address (VMAC).

By enabling Virtual MAC in ClusterXL High Availability mode, or Load Sharing Unicast mode, all cluster members associate the same Virtual MAC address with all Cluster Virtual Interfaces and the Virtual IP address. In Virtual MAC mode, the VMAC that is advertised by the cluster members (through G-ARP Requests) keeps the real MAC address of each member and adds a Virtual MAC address on top of it.

(For local connections and sync connections, the real MAC address of each member is still associated with its real IP address.)

Note - VMAC mode is supported only on SecurePlatform and Gaia.

In SecurePlatform, you can enable VMAC with the command line only
In Gaia, you can enable VMAC with the command line or SmartDashboard

VMAC failover time is shorter than a failover that involves a physical MAC address.

To configure VMAC Mode using SmartDashboard:

Double-click the Cluster object to open its Properties window.
On the ClusterXL and VRRP page, select Use Virtual MAC.
Install a Policy.

To configure VMAC Mode using the command line:

Set the value of global kernel parameter fwha_vmac_global_param_enabled.

First get the current value of global kernel parameter by running this command on a cluster member:
fw ctl get int fwha_vmac_global_param_enabled
Set the new value by running:
fw ctl set int fwha_vmac_global_param_enabled VALUE

Where:

VALUE

Description

1

VMAC enabled

0

VMAC disabled
Make sure VMAC mode is enabled by running: cphaprob -a if
This command shows the VMAC address of each virtual cluster interface.
Note -

On SecurePlatform run this command in the Expert mode.
On Gaia run this command can be run in Clish or the Expert mode.

VALUE	Description
1	VMAC enabled
0	VMAC disabled

For more on VMAC mode, see: sk50840

To set the VMAC mode value permanently, see sk26202

Load Sharing Multicast Mode

When working in Load Sharing Multicast mode, the switch settings are as follows:

Switch Configuration for Load Sharing Multicast Mode

Switch Setting	Explanation
CCP in Multicast mode	Multicast mode is the default Cluster Control Protocol mode in Load Sharing Multicast.
Port Mirroring	ClusterXL does not support the use of unicast MAC addresses with Port Mirroring for Multicast Load Sharing solutions.

When working in Load Sharing Multicast mode, the router must support sending unicast IP packets with Multicast MAC addresses. This is required so that all cluster members will receive the data packets.

The following settings may need to be configured in order to support this mode, depending on the model of the router:

Router Configuration for Load Sharing Multicast Mode

Router Setting	Explanation
Static MAC	Most routers can learn ARP entries with a unicast IP and a multicast MAC automatically using the ARP mechanism. If you have a router that is not able to learn this type of mapping dynamically, you'll have to configure static MAC entries.
IGMP and static cams	Some routers require disabling of IGMP snooping or configuration of static cams in order to support sending unicast IP packets with Multicast MAC addresses.
Disabling multicast limits	Certain routers have an upper limit on the number of broadcasts and multicasts that they can pass, in order to prevent broadcast storms. This limit is usually a percentage of the total interface bandwidth. It is possible to either turn off broadcast storm control, or to allow a higher level of broadcasts or multicasts through the router.
Disabling forwarding multicast traffic to the router	Some routers will send multicast traffic to the router itself. This may cause a packet storm through the network and should be disabled.

ClusterXL Hardware Compatibility

The following routers and switches are known to be compatible for all ClusterXL modes:

Routers

Cisco 7200 Series
Cisco 1600, 2600, 3600 Series

Routing Switch

Extreme Networks Blackdiamond (Disable IGMP snooping)
Extreme Networks Alpine 3800 Series (Disable IGMP snooping)
Foundry Network Bigiron 4000 Series
Nortel Networks Passport 8600 Series
Cisco Catalyst 6500 Series (Disable IGMP snooping, Configure Multicast MAC manually)

Switches

Cisco Catalyst 2900, 3500 Series
Nortel BayStack 450
Alteon 180e
Dell PowerConnect 3248 and PowerConnect 5224

Example Configuration of a Cisco Catalyst Routing Switch

The following example shows how to perform the configuration commands needed to support ClusterXL on a Cisco Catalyst 6500 Series routing switch. For more details, or instructions for other networking devices, please refer to the device vendor documentation.

Disabling IGMP Snooping

To disable IGMP snooping run:

no ip igmp snooping

Defining Static CAM Entries

To add a permanent multicast entry to the table for module 1, port 1, and module 2, ports 1, 3, and 8 through 12:

Cisco> (enable) set cam permanent 01-40-5e-28-0a-64 1/1,2/1,2/3,2/8-12
Permanent multicast entry added to CAM table.
Console> (enable)

To determine the MAC addresses that must be set:

On a network that has a cluster IP address of x.y.z.w :
- If y<=127, the multicast MAC address would be 01:00:5e:y:z:w. For example: 01:00:5e:5A:0A:64 for 192.90.10.100
- If y>127, the multicast MAC address would be 01:00:5e:(y-128):z:w. For example: 01:00:5e:28:0A:64 for 192.168.10.100 (168-128=40 = 28 in hex).
For a network x.y.z.0 that does not have a cluster IP address, such as the sync, you would use the same procedure, and substitute fa instead of 0 for the last octet of the MAC address.
- For example: 01:00:5e:00:00:fa for the 10.0.0.X network.

Disabling Multicast Limits

To disable multicast limits run:

no storm-control multicast level

Configuring a Static ARP Entry on the Router

To define a static ARP entry:

Determine the MAC address.
Run arp <MAC address> arpa

Disabling Multicast Packets from Reaching the Router

To prevent multicast packets from reaching the router:

Determine the MAC address.
Run set cam static <MAC address> module/port.