Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Charles_Hurst
Contributor
Jump to solution

Interface Bonding Problem

Hey guys,

Just struggling a bit in my lab currently studying for my CCSA and in order to move forward I have a requirement to create a DMZ zone however due to lack of interfaces I am having to VLAN this using a Cisco Switch. I've configured CluserXL therefore (I believe) I need to use LACP to active active the trunks. I've setup the Cisco side and this has taken my ports down due to not having LACP configured on the Check Point side.

I figured that I need to create a Bond via GAIA and then I read somewhere else online about creating Bond VLAN's on top. 

The problem is that I don't seem to be able to remove the the IP from the interface in order to create the bond. The error just states:

KERLAG0029 Interface eth1 has IP addresses configured.

However prior to this I have set to DHCP, I've ran delete interface ETH1, restarted the gateway, updated all these changes through SmartConsole.. Still the same:

The interface shows as:

Interface eth1
state on
mac-addr 08:00:27:48:56:50
type ethernet
link-state link up
mtu 1500
auto-negotiation on
speed N/A
ipv6-autoconfig Not configured
duplex N/A
monitor-mode off
link-speed Not configured
comments
ipv4-address Not Configured
ipv6-address Not Configured
ipv6-local-link-address Not Configured

So I'm a little bit stuck and unable to find anything from my trusty friend google... Any help would be appreciated!

Thanks,

Charles 

1 Solution

Accepted Solutions
Vladimir
Champion
Champion

Charles,

You do not need LACP on Cisco side if you are using ClusterXL.

If the cluster members are connected to two different ports of the same Cisco switch, the failover will happen due to advertisement of the interface of the active cluster member to Cisco. You may also elect to use vMAC on Check Point side to make things more interesting:

This will advertise same vMAC out of all cluster's interfaces, but Cisco will keep an independent CAM tables per VLAN, so it will not be confused by this.  

As to your interface issues, make sure that you've removed IP from this interface on both cluster members.

Then try changing its state to "off" :

>set Interface eth1 state off

>save config

then turn it on again giving some time for the arp cache to expire.

For the purposes of using this interface as a trunk, once IP is removed, simply create sub-interfaces specifying correct "Member Of:" values on both cluster members:

Once done, execute "Get Topology" from the cluster object properties and you should be good to go.

View solution in original post

6 Replies
Vladimir
Champion
Champion

Charles,

You do not need LACP on Cisco side if you are using ClusterXL.

If the cluster members are connected to two different ports of the same Cisco switch, the failover will happen due to advertisement of the interface of the active cluster member to Cisco. You may also elect to use vMAC on Check Point side to make things more interesting:

This will advertise same vMAC out of all cluster's interfaces, but Cisco will keep an independent CAM tables per VLAN, so it will not be confused by this.  

As to your interface issues, make sure that you've removed IP from this interface on both cluster members.

Then try changing its state to "off" :

>set Interface eth1 state off

>save config

then turn it on again giving some time for the arp cache to expire.

For the purposes of using this interface as a trunk, once IP is removed, simply create sub-interfaces specifying correct "Member Of:" values on both cluster members:

Once done, execute "Get Topology" from the cluster object properties and you should be good to go.

Charles_Hurst
Contributor

Hey,

Thanks so much for your reply.

So the rabbit hole gets a little deeper. I read your first section and that was originally how I setup the interfaces just with two VLAN's underneath ETH1 as so:

On both cluster members.

The reason I thought I needed LACP was because Cluster node 2 the interfaces kept going to No Link:

After you confirming this is the way it should be done I have ditched LACP turned on VMAC and tried again. I then had a moment of realization that this could be Spanning-Tree so I set both ports on the Cisco Switch to portfast trunk, disabled and re-enabled the port on the Check Point side. It seemed to be OK until I ran Get Topology and then bang went back to No Link.

So I went back disabled Spanning-Tree on those VLAN's completely on Cisco (obviously not best practice) to try and eliminate this and again it stays up, obviously I get a ClusterXL error because it has not got an IP for Node 2 yet then again as soon as I run Get Topology instantly goes to No Link.

I don't know if I'm just being stupid and missing something obvious. The ports obviously have a link and it goes up until it tries to use it or query it in any way then GAIA shows them as No Link.

There is nothing in SmartConsole logs for this not sure if there are other logs or monitoring I can use to see what is causing the Port Link status to change.

Just to try and show the problem in pictures:

--------------------------------------------------------------------------

--------------------------------------------------------------------------

--------------------------------------------------------------------------

I must be missing something but I just cannot figure out what it is.

Thanks again,

Charles

0 Kudos
AlekseiShelepov
Advisor

One thing that you can also try to do is to manually configure IP addresses for eth1.100 and eth1.200 for second node. And try to install policy after that.

This thing with interface down on second node is not normal, but I cannot see an obvious reason for that. Usually there were "flapping interfaces" messages on switches until the cluster is working (after policy installation), but it usually didn't disable interfaces. And get topology shouldn't also do a shutdown of an interface.


These firewalls should be virtual machines, right? Did you just copy one to another after installation? Do they have same MAC addresses?

Could you show also config from switch ports?

Charles_Hurst
Contributor

Yeah did try that didn't bring them back up.

I think you are correct in thinking this is problem with how I'm visualizing them as its a virtual Cisco VIRL Switch as well which can be a little bit fussy about what it likes and doesn't like...

However setup as a bond and its fine:

Very odd with that IP problem though to configure the bond. In the end I had to disable the interface through the GAIA portal and then it showed the previous static IP that I guessed was removed when I set it to DHCP (if the interface was enabled it showed the static IP boxes as empty as soon as its disabled an IP appeared in there). So I have disable them set to static and delete the IP and Mask then OK go back in and set back to DHCP and enable and then it would allow me to setup the bond. Possible bug in GAIA Portal *shrugs shoulders*?

Thanks so much for your help glad I wasn't going completely mad and my configure would have worked if it wasn't for strange virtual gremlins.

This will work for me for the time being and get me through my exam so that is great.

Thanks again,

Charles

Vladimir
Champion
Champion

Charles,

Please advise if your Check Point cluster members are virtual or physical and if they are virtual, what are you running them on.

If they happen to be virtual and are running on ESXi, please check out this: How to configure Virtual Switch (vSwitch) for cluster of Security Gateways Virtual Edition in Networ... 

Charles_Hurst
Contributor

Sorry my replies go through moderators so take a little while to appear please see latest 🙂

Im running them far from ideal they are actually running within a GNS3 lab as I use this for my Cisco switches and they have been bolted on to my previous lab. I am contemplating scrapping this and moving over to ESXi however I do like having such a mixed environment with my CP’s, Cisco devices and Juniper SRX’s all together. 

Thanks for all all your help both!

Charles

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events