Working with VLANs in Cluster

A VLAN switch tags packets that originate in a VLAN with a four-byte header that specifies, which switch port it came from

No packet is allowed to go from a switch port in one VLAN to a switch port in another VLAN, apart from ports ("global" ports) that are defined so that they belong to all the VLANs.

The Cluster MemberClosed Security Gateway that is part of a cluster. is connected to the global port of the VLAN switch, and this logically divides a single physical port into many VLAN ports each associated with a VLAN tagged interface (VLAN interface) on the ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member.

When defining VLAN tags on an interface, cluster IP addresses can be defined only on the VLAN interfaces (the tagged interfaces).

Defining a cluster IP address on a physical interface that has VLANs is not supported.

This physical interface has to be defined with the Network Type Private.

ClusterXLClosed Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic. (including VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts.) supports the Synchronization NetworkClosed A set of interfaces on Cluster Members that were configured as interfaces, over which State Synchronization information will be passed (as Delta Sync packets ). The use of more than one Synchronization Network for redundancy is not supported because the CPU load will increase significantly due to duplicate tasks performed by all configured Synchronization Networks. See sk92804. Synonyms: Sync Network, Secured Network, Trusted Network. (CCP packets that carry Delta SyncClosed Synchronization of kernel tables between all working Cluster Members - exchange of CCP packets that carry pieces of information about different connections and operations that should be performed on these connections in relevant kernel tables. This Delta Sync process is performed directly by Check Point kernel. While performing Full Sync, the Delta Sync updates are not processed and saved in kernel memory. After Full Sync is complete, the Delta Sync packets stored during the Full Sync phase are applied by order of arrival. information) only on the lowest VLAN ID (VLAN tag).

For example, if three VLANs with IDs 10, 20 and 30 are configured on interface eth1, then you can use only the VLAN interface eth1.10 for the State SynchronizationClosed Technology that synchronizes the relevant information about the current connections (stored in various kernel tables on Check Point Security Gateways) among all Cluster Members over Synchronization Network. Due to State Synchronization, the current connections are not cut off during cluster failover..

This is the default interface monitoring in Check Point cluster:

Interface type

Monitoring in ClusterXL (non-VSX)

Monitoring in VSX Cluster

Physical interfaces

Monitors all cluster interfaces.

Monitors all cluster interfaces.

VLAN interfaces

Monitors only lowest VLAN ID configured on a physical interface.

VSX High AvailabilityClosed A redundant cluster mode, where only one Cluster Member (Active member) processes all the traffic, while other Cluster Members (Standby members) are ready to be promoted to Active state if the current Active member fails. In the High Availability mode, the Cluster Virtual IP address (that represents the cluster on that network) is associated: (1) With physical MAC Address of Active member (2) With virtual MAC Address (see sk50840). Synonym: Active/Standby. Acronym: HA. (non-VSLS):

  • Monitors only lowest and highest VLAN IDs configured on a physical interface.

  • Monitors only lowest VLAN ID, if both VLAN IDs reside on the same Virtual System.

 

Monitors only lowest and highest VLAN IDs configured on a physical interface.

Virtual System Load SharingClosed A redundant cluster mode, where all Cluster Members process all incoming traffic in parallel. For more information, see "Load Sharing Multicast Mode" and "Load Sharing Unicast Mode". Synonyms: Active/Active, Load Balancing mode. Acronym: LS.:

  • Monitors all VLAN IDs configured on a physical interface on each Virtual System.

  • When a Virtual System is connected to a Virtual Switch with the same physical interface and a lower VLAN ID, the wrp interface that leads to the Virtual Switch is considered the lowest VLAN ID for the physical interface.

You can customize the default monitoring of VLAN IDs:

Need to monitor VLAN

Monitoring in ClusterXL (non-VSX)

Monitoring in VSX Cluster

Only the lowest VLAN ID

Enabled by default.

Must disable the monitoring of all VLAN IDs - set the value of the kernel parameter fwha_monitor_all_vlan to 0.

See sk92826.

Only the lowest and highest VLAN IDs

Enabled by default.

Controlled by the kernel parameter fwha_monitor_low_high_vlans.

See sk92826.

VSX High Availability (non-VSLS): Enabled by default.

Controlled by the kernel parameter fwha_monitor_low_high_vlans.

See sk92826.

All VLAN IDs

Disabled by default.

Controlled by the kernel parameter fwha_monitor_all_vlan.

See sk92826.

Virtual System Load Sharing: Disabled by default.

Controlled by the kernel parameter fwha_monitor_all_vlan.

See sk92826.

Only specific VLAN IDs

Disabled by default.

Controlled by the kernel parameter fwha_monitor_specific_vlan.

See sk92784.

Disabled by default.

Controlled by the kernel parameter fwha_monitor_specific_vlan.

See sk92784.