topic Vlan over Bond in Firewall and Security Management

Vlan over Bond

RayP — Thu, 27 May 2021 09:28:09 GMT

Hi,

We have 2 15600 appliances with ClusterXL (active/standby)

Each of the nodes configured with 2 physical interfaces as an bond1 interface.

Operation Mode: 802.3ad

Transmit Hash Policy: Layer2 and LACP Rate: Slow

On top of the bond1 interface we configured 2 vlan's.

Link status in Gaia portal of the bond interface and vlan interfaces are Up.

cphaprob -a if shows me:

bond1 DOWN (88312 secs) non sync(non secured), unicast, bond Load Sharing (bond1.150)
bond1 DOWN (88312 secs) non sync(non secured), unicast, bond Load Sharing (bond1.151)

My questions is, must I also configure a static IP address on the bond1 interface or only on the bond1 vlan id's?

Thanks in advance.

Regards,

Re: Vlan over Bond

Maarten_Sjouw — Thu, 27 May 2021 10:33:23 GMT

You should only configure IP's on the VLAN interfaces, not on bond1 itself.

Re: Vlan over Bond

RayP — Fri, 28 May 2021 07:13:28 GMT

Thnx for the information Maarten.

What could be the reason that the physical interfaces and the bond is Up, but the bond vlan's are still down.

Are there some bond/vlan interfacing troubleshooting cli's.

Re: Vlan over Bond

Maarten_Sjouw — Fri, 28 May 2021 21:15:40 GMT

One of the most common problems is, that when you have multiple switches, the VLAN itself is not in the VLAN database of the switch that your gateway is connected to. Or there is allowed VLAn list on the port and it is not allowed.

It boiles down to the point that the 2 gateways just do not see each other on the VLAN's.

Re: Vlan over Bond

HeikoAnkenbrand — Sat, 29 May 2021 07:37:32 GMT

Hi @RayP,

On an interface, a CCP (Cluster Conection Protocol) packet is sent every 100ms on the highest and lowest VLAN in both directions. ClusterXL detects whether the neighboring interface can be reached. After four lost CCP packets (400ms) the cluster status goes into error mode (interface error) .

If the interface is shown as down with "cphaprob -a if ", the two VLANs do not see each other gateway interface on the network. I think you have a layer 2 (ethernet or VLAN) problem between the two gateways on the switch. The same can be said for a LACP Bond.

Re: Vlan over Bond

genisis__ — Thu, 03 Jun 2021 08:09:46 GMT

Has this every worked?

What is the switch make?

What is the switchport configuration?

Did you do a topology update and then push the configuration? (could be CCP issue)

May be worth taking a look at sk106776/sk92826 & sk121337

What version of Checkpoint are you running (it should not really matter but its worth stating version of Checkpoint and What Jumbo your running).

I have a pair of 15600s and bonded interface running a number of vlans, and as mentioned in this threat, any L3 configuration should only be made on the logical interface, and not on the bond.