Configuring a ClusterXL in Bridge Mode

You can configure ClusterXL in Bridge Mode in different cluster deployments:

ClusterXL in Bridge Mode	Number of Supported Switches
Active / Standby	Two only
Active / Active	Two, or Four

For instructions, see:

Configuring ClusterXL in Bridge Mode - Active/Standby with Two Switches

Example for deployment Active/Standby mode with two switches:

bridge cluster

Item	Description
1 and 2	Switches
	Cluster members that bridge Layer 2 traffic
3 and 4	The slaves of the bridge interface (for example, eth1 and eth2)
5	The ClusterXL Sync interfaces (for example, eth3)

This is the preferred mode in topologies that support it.

In Active/Standby mode, ClusterXL decides the cluster state. The standby member drops all packets. It does not pass any traffic, including STP/RSTP/MSTP. If there is a failover, the switches are updated by the Security Gateway to forward traffic to the new active member.

If you use this mode, it is best to disable STP/RSTP/MSTP on the adjacent switches.

To configure Active/Standby mode:

Install the cluster members.
In SmartDashboard, configure the ClusterXL object in High Availability mode and install policy on the cluster object.
On each cluster member, run: cpconfig
Enter 8, to select Enable Check Point ClusterXL for Bridge Active/Standby.
Confirm: y
Reboot each cluster member.
In SmartDashboard, install policy on the cluster object.

On each cluster member, examine the cluster state. Run: cphaprob state

The output should be similar to:

Cluster Mode: High Availability (Active Up, Bridge Mode) with IGMP Membership

Number Unique Address Firewall State (*)

1 (local> 2.2.2.3 Active

2 2.2.2.2 Standby

Configuring ClusterXL in Bridge Mode - Active/Active with Two Switches

When you define a bridge interface on a Security Gateway cluster, Active/Active mode is activated by default.

Before you begin, install ClusterXL High Availability on a Gaia appliance or open server.

To configure Active/Active mode, do these steps on each member of the cluster:

Install the cluster members.
Configure dedicated Management and Sync interfaces.
Add a bridge interface, as in a single gateway deployment.
Do not configure an IP address on the newly created bridge interface.
In SmartDashboard:
1. Create the ClusterXL object.
2. In the Cluster Mode page, select High Availability.
3. In the Topology page, get the cluster topology.
4. Make sure the dedicated Management and Sync interfaces are configured.
5. Make sure the Bridge interface and bridge slave interfaces are not in the topology.
Bridge interface topology cannot be defined. It is External by default.
Install policy on the cluster object.
On each cluster member, examine the cluster state. Run: cphaprob state
The output should be similar to:

Cluster Mode: High Availability (Active Up, Bridge Mode) with IGMP Membership
Number Unique Address Firewall State (*)
1 (local> 2.2.2.3 Active
2 2.2.2.2 Active

Confirming the High Availability Configuration

After you configure Active/Active mode, the output for chpaprob state shows that the Firewall State is Active/Active. Make sure that the cluster is configured for High Availability.

To confirm the High Availability configuration:

Open the cluster object.
In the cluster Properties window, click ClusterXL.
In the Cluster Mode section, make sure that High Availability is selected.
Click OK.

Configuring a ClusterXL in Bridge Mode - Active/Active with Four Switches

You can configure a bridged cluster between four switches, in Active/Active mode.

In the Bridge Active/Active mode, ClusterXL works in Load Sharing mode.

Note - Active/Standby mode is not supported with four switches.

Example topology:

bridge in cluster with 4 switches

Item	Description
1, 2, 3, 4	Switches
	Cluster members that bridge Layer 2 traffic
5 and 6	The slaves of the bridge interface (for example, eth1 and eth2)
7	The ClusterXL Sync interfaces (for example, eth3)

The workflow and detailed instructions are the same as in the Configuring ClusterXL in Bridge Mode - Active/Active with Two Switches.