cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Can we avoid the promiscuous mode for vSEC clustering ?

I work since few weeks on the virtualization of checkpoint security gateways. And to allow HA protocol (CCP) in order to create a clusterXL, I had to enabled the promiscuous mode on vmware.
So I was wondering if there was not another solution.
If not, is there some best pratices to avoid route causes on datacenters (packet loss for example) ?

0 Kudos
6 Replies
Admin
Admin

Re: Can we avoid the promiscuous mode for vSEC clustering ?

I'm not sure what you mean by "route causes."

In general, the CCP packets (which are Multicast by default) are there to determine reachability/availability of the cluster members on interfaces.

You can potentially switch ClusterXL mode to Broadcast mode: How to set ClusterXL Control Protocol (CCP) in Broadcast / Multicast mode in ClusterXL 

0 Kudos

Re: Can we avoid the promiscuous mode for vSEC clustering ?

Actually it may not be the right term. 

In order "to determine reachability/availability of the cluster members on interfaces", we must authorize the promiscuous mode on the vSwitch in VMware (both Broadcast and Multicast) 

And I have some packet loss in my datacenter due to this mode , so I search some best practices to avoid this mode or reduice its impact.

But I didn't find yet informations about this (in forum or in CP docs).

For information, we use vSphere 5.5.

Maybe you have another idea ?

0 Kudos
Admin
Admin

Re: Can we avoid the promiscuous mode for vSEC clustering ?

Unfortunately, ClusterXL in its various forms requires multicast or broadcast packets, so this mode is required.

Its use is commensurate with the amount of traffic being passed by the cluster. 

Perhaps you can limit it's impact by reducing the number of devices directly connected to the same vSwitches as the vSEC instances.

As this sounds like a VMware issue, have you engaged with them at all?

Re: Can we avoid the promiscuous mode for vSEC clustering ?

You have perfectly right. It's indeed a VMware issue and it would seem that we must upgrade our vSphere plateform to version 6. 

With v6 we could use multicast without promiscuous mode but I would have liked to have Checkpoint confirmation that this is the best practice.

By the way thanks for your response. 

0 Kudos
Vladimir
Pearl

Re: Can we avoid the promiscuous mode for vSEC clustering ?

The packet loss you are referring to may be due to the broadcast control configured on physical switches your ESXi servers are connected to.

Please verify if there are any settings limiting broadcast set on the ports corresponding to NICs that have port groups and vSwitches assigned to the ClusterXL members. 

Re: Can we avoid the promiscuous mode for vSEC clustering ?

Thank you, I will check this lead with the virtualization infrastructure team.

0 Kudos