topic Re: Sync interface IP assignment best practice in General Topics

Sync interface IP assignment best practice

Wayne_Situ — Tue, 28 May 2019 19:23:37 GMT

what is best practice to assign IPs to sync interface?

we are using rfc1918 IPs with /30 for sync interfaces. recently we discovered this problem. the IPs that we are using are also used on the network. when traffic to these destinations hits the firewall it promptly drops the packets due to the stealth rule and also the route is learned as connected. is there anyway we can exclude the sync interface from advertised? or do i need to re-ip all of my firewalls sync to use ip such as 127.0.0.0/30? thanks

C 192.168.80.0/30 is directly connected, eth3-01 Sync

Re: Sync interface IP assignment best practice

G_W_Albrecht — Wed, 29 May 2019 08:24:17 GMT

See ClusterXL Administration Guide R80.20:

We recommend that you secure the synchronization interfaces using one of the following strategies:

• Use a dedicated synchronization network.

• Connecting the physical network interfaces of the Cluster Members directly using a cross-cable. In a cluster with three or more members, use a dedicated hub or switch.

Notes:

• See Supported Topologies for Synchronization Network (on page 26).

• You can synchronize members across a WAN. To do this, do the steps in Synchronizing Clusters on a WAN (on page 54).

• In ClusterXL, the synchronization network is supported on the lowest VLAN tag of a VLAN interface. For example, if three VLANs with tags 10, 20 and 30 are configured on interface eth1, only interface eth1.10 may be used for synchronization.

Re: Sync interface IP assignment best practice

Wayne_Situ — Wed, 29 May 2019 23:54:49 GMT

sorry if I wasn't clear with my question.

I want to know what is the best practice of IP assignment to the Sync interface. I am using 192.168.80.1 and 192.168.80.2 for the firewalls with /30 mask. this is a private range and I never thought it would cause a problem until I find out there is an actual system using the same IP. so when the packet arrived at the firewall, the firewall see the destination as directly connected. it drops the packet. from the firewall's route table perspective I never thought the crossover cable for the Sync interface would be advertised. but it is and it's a problem.

question is do I need to re-ip the sync interfaces? or my preference is how to stop the sync interface IPs being advertised?

Re: Sync interface IP assignment best practice

PhoneBoy — Mon, 03 Jun 2019 17:08:30 GMT

If your sync IPs are in use elsewhere in your environment, you will need to change your sync IPs.
They should be unique to the cluster and not in use anywhere else in your environment.

Re: Sync interface IP assignment best practice

Maarten_Sjouw — Mon, 03 Jun 2019 18:20:48 GMT

There is a range of IP's that will not be routed anywhere and should only be used for network connections, this is the 100.64.0.0-100.127.255.255 range, also called the ISP range.
IP's from this range will not interfere with anything else and are growing in popularity for this kind of use.