Configuring ClusterXL

In This Section:

This procedure describes how to configure the Load Sharing Multicast, Load Sharing Unicast, and High Availability modes from scratch. Their configuration is identical, apart from the mode selection in SmartConsole Cluster object or Cluster creation wizard.

Installing Cluster Members

Important - See Hardware Requirements for Cluster Members and Software Requirements for Cluster Members.

To install new cluster members for ClusterXL:

Install and configure Check Point Security Gateways that will be configured as cluster members.
- For installation and initial configuration procedures, see the R80.10 Installation and Upgrade Guide.
- During the Gaia First Time Configuration Wizard, enable ClusterXL.
- You must run cpconfig from the command line and select Enable cluster membership for this gateway. This change requires reboot.
Using Gaia Portal or Gaia Clish, define an IP address on each interface on all cluster members.
Note - Do not define IPv6 addresses for synchronization interfaces.
On cluster members that will participate in a VPN community, you must synchronize clocks accurately to within one second of each other. If these cluster members are constantly up and running, it is usually enough to set the time once. More reliable synchronization can be achieved using NTP or some other time synchronization services supplied by the operating system.
Connect the cluster members to each other and to the networks through switches. For the synchronization interfaces, you can use a cross cable, or a dedicated switch. Make sure that each network (internal, external, synchronization, DMZ, and so on) is configured on a separate VLAN, or network segment.

Note - You can also perform synchronization over a WAN.

Configuring Routing for Client Computers

Example topology:

[internal network 10.10.2.0/24] --- (VIP 10.10.2.100/24) [Cluster] (VIP 192.168.2.100/24) --- [external network 192.168.2.0/24]

To configure routing for client computers:

Computers on the internal network 10.10.2.0/24 should be configured with Default Gateway IP 10.10.2.100
Computers on the external network 192.168.2.0/24 should be configured with Default Gateway IP 192.168.2.100
For Proxy ARP configuration, see sk30197
Also see Configuring Cluster Addresses on Different Subnets

Choosing the CCP Transport Mode on the Cluster Members

In R80.10, the Cluster Control Protocol (CCP) has two modes:

Mode	Description
Multicast	In this CCP mode, the CCP packets are sent to a multicast Layer 2 destination MAC address (01:00:5E:xx:yy:zz). See sk25977. This is the default CCP mode for non-Sync interfaces.
Broadcast	In this CCP mode, the CCP packets are sent to a broadcast Layer 2 destination MAC address (FF:FF:FF:FF:FF:FF). See sk25977 and sk36644. This is the default CCP mode for Sync interface. This is the only supported CCP mode on Bridge interfaces. Use this CCP mode if the connecting switches do not pass CCP multicast packets.

Mode

Description

Multicast

In this CCP mode, the CCP packets are sent to a multicast Layer 2 destination MAC address (01:00:5E:xx:yy:zz). See sk25977.

This is the default CCP mode for non-Sync interfaces.

Broadcast

In this CCP mode, the CCP packets are sent to a broadcast Layer 2 destination MAC address (FF:FF:FF:FF:FF:FF). See sk25977 and sk36644.

This is the default CCP mode for Sync interface.

This is the only supported CCP mode on Bridge interfaces.

Use this CCP mode if the connecting switches do not pass CCP multicast packets.

To set the CCP mode:

In Expert mode, run: cphaconf set_ccp {multicast|broadcast}

This configuration applies immediately and survives reboot.

To monitor the CCP mode:

In Expert mode, run: cphaprob -a if

Example output:

[Expert@Member2:0]# cphaprob -a if

Required interfaces: 3

Required secured interfaces: 1

eth0 UP non sync(non secured), multicast

eth1 UP non sync(non secured), multicast

eth2 UP sync(secured), multicast

Virtual cluster interfaces: 2

eth0 192.168.2.63

eth1 172.30.2.63

[Expert@Member2:0]#

[Expert@Member2:0]# cphaconf set_ccp multicast

[Expert@Member2:0]#

[Expert@Member2:0]# cat $FW_BOOT_DIR/ha_boot.conf

ha_installed 1

ccp_mode multicast

[Expert@Member2:0]#

[Expert@Member2:0]# cphaconf set_ccp broadcast

[Expert@Member2:0]#

[Expert@Member2:0]# cphaprob -a if

Required interfaces: 3

Required secured interfaces: 1

eth0 UP non sync(non secured), broadcast

eth1 UP non sync(non secured), broadcast

eth2 UP sync(secured), broadcast

Virtual cluster interfaces: 2

eth0 192.168.2.63

eth1 172.30.2.63

[Expert@Member2:0]#

[Expert@Member2:0]# cat $FW_BOOT_DIR/ha_boot.conf

ha_installed 1

ccp_mode broadcast

[Expert@Member2:0]#