|
|
|
A VLAN switch tags packets that originate in a VLAN with a four-byte header that specifies, which switch port it came from. No packet is allowed to go from a switch port in one VLAN to a switch port in another VLAN, apart from ports ("global" ports) that are defined so that they belong to all the VLANs.
The Cluster Member is connected to the global port of the VLAN switch, and this logically divides a single physical port into many VLAN ports each associated with a VLAN tagged interface (VLAN interface) on the Cluster Member.
When defining VLAN tags on an interface, cluster IP addresses can be defined only on the VLAN interfaces (the tagged interfaces). Defining a cluster IP address on a physical interface that has VLANs is not supported. This physical interface has to be defined with the Network Type Private.
ClusterXL (including VSX) supports the Synchronization Network (CCP packets that carry Delta Sync information) only on the lowest VLAN ID (VLAN tag). For example, if three VLANs with IDs 10, 20 and 30 are configured on interface eth1, then you can use only the VLAN interface eth1.10 for the State Synchronization.
This is the default interface monitoring in Check Point cluster:
Interface type |
ClusterXL (non-VSX) |
VSX Cluster |
|---|---|---|
Physical interfaces |
Monitors all cluster interfaces |
Monitors all cluster interfaces |
VLAN interfaces |
Monitors only lowest VLAN ID configured on a physical interface |
VSX High Availability (non-VSLS): Monitors only lowest and highest VLAN IDs configured on a physical interface If both VLAN IDs reside on the same Virtual System, only the lowest VLAN ID is monitored |
|
Monitors only lowest and highest VLAN IDs configured on a physical interface |
Virtual System Load Sharing: Monitors all VLAN IDs configured on a physical interface on each Virtual System When a Virtual System is connected to a Virtual Switch with the same physical interface and a lower VLAN ID, the |
You can customize the default monitoring of VLAN IDs:
Need to monitor |
In ClusterXL (non-VSX) |
In VSX Cluster |
|---|---|---|
Only the lowest VLAN ID |
Enabled by default |
Must disable the monitoring of all VLAN IDs - set the value of the kernel parameter See sk92826 |
Only the lowest and highest VLAN IDs |
Enabled by default Controlled by the kernel parameter See sk92826 |
VSX High Availability (non-VSLS): Enabled by default Controlled by the kernel parameter See sk92826 |
All VLAN IDs |
Disabled by default Controlled by the kernel parameter See sk92826 |
Virtual System Load Sharing: Disabled by default Controlled by the kernel parameter See sk92826 |
Only specific VLAN IDs |
Disabled by default Controlled by the kernel parameter See sk92784 |
Disabled by default Controlled by the kernel parameter See sk92784 |
It is not recommended to connect the non-secured interfaces (the internal or external cluster interfaces, for example) of multiple clusters to the same VLAN. A separate VLAN, and/or switch is needed for each cluster.
Connecting the secured interfaces (the synchronization interfaces) of multiple clusters is also not recommended for the same reason. Therefore, it is best to connect the secured interfaces of a given cluster via a crossover link when possible, or to an isolated VLAN.
If there is a need to connect the secured or the non-secured interfaces of multiple clusters to the same VLAN you need to make changes to:
This section applies to ClusterXL Load Sharing Multicast Mode only.
When a member that is outside the cluster wishes to communicate with the cluster, it sends an ARP query with the cluster (virtual) IP address. The cluster replies to the ARP request with a multicast MAC address, even though the IP address is a unicast address.
This destination multicast MAC address of the cluster is based on the unicast IP address of the cluster. The upper three bytes are 01.00.5E, and they identify a Multicast MAC in the standard way. The lower three bytes are the same as the lower three bytes of the IP address. An example MAC address based on the IP address 10.0.10.11 is shown below.
|
|
10. |
0. |
10. |
11 |
Destination unicast IP address for the cluster |
|
|
|
|
|
|
|
01 |
00 |
5E |
00 |
0A |
0B |
Destination multicast MAC address for the cluster |
Upper 3 bytes Identify a Multicast MAC |
Lower 3 bytes From IP address |
|||||
When more than one cluster is connected to the same VLAN, the last three bytes of the IP addresses of the cluster interfaces connected to the VLAN must be different. If they are the same, then communication from outside the cluster that is intended for one of the clusters will reach both clusters, which will cause communication problems.
For example, it is OK for the cluster interface of one of the clusters connected to the VLAN to have the address 10.0.10.11, and the cluster interface of a second cluster to have the address 10.0.10.12. However, the following addresses for the interfaces of the first and second clusters will cause complications: 10.0.10.11 and 20.0.10.11.
The best solution is to change to the last three bytes of the IP address of all but one of the cluster interfaces that share the same last three bytes of their IP address.
If the IP address of the cluster interface cannot be changed, you must change the automatically assigned multicast MAC address of all but one of the clusters and replace it with a user-defined multicast MAC address. Proceed as follows:
0 and 7 (in hex) and y is between 0 and f (in hex).