cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Iron

R80.20-R80.30 ClusterXL vlan monitoring

Hello,

I cannot find any discussion about the fact that in OS R80.20 and R80.30 admin guide in the section "vlan support in clusterXL" monitor all vlan id is no longer supported. I would like to understand why 🙂

Any other way to monitor all vlan then ?

Can someone help ?

 

Thank you

 

Best regards;

Furil

0 Kudos
9 Replies
Highlighted
Admin
Admin

Re: R80.20-R80.30 ClusterXL vlan monitoring

By default, we monitor the lowest and highest VLAN in R80.20+.
You should also be able to pick a specific VLAN using: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
Highlighted
Iron

Re: R80.20-R80.30 ClusterXL vlan monitoring

Hello,

 

Thank you for your help, yes I also found this SK but I was wondering if there was another possibility instead of doing this...

So if someone does have 150 vlans interface then he will have to mention them in this file. And each time we do create a new vlan then we will have to update this same file. Fortunately only the first usage of this file needs the gateway to be reboot 🙂

In my opinion it just add a little bit more work, each time we create a new vlan we do have to not forget to update this file but why doing that now whereas in R80.10 it was still supported... (yes I am lazy :))

Last thing (If you do not know, no problem), I do not understand why by design we do monitor only the lowest and highest vlan. 

For instance I have 3 vlan : 10,20 and 30

By design only 10 and 30 will be monitored in that case, then if there is an issue with vlan 20 or any bug related to it then we will get no failover ?

Thank you Phoneboy for your help as always 🙂

 

Best regards,

Furil

 

0 Kudos
Highlighted

Re: R80.20-R80.30 ClusterXL vlan monitoring

I do not understand why to monitor every VLAN of an interface - if the physical IF goes down, a failover will occur, but to register this fact we need not monitor all 150 VLANs of the IF. Please explain the background behind your question and the experiences that shaped your need for it !

0 Kudos
Highlighted
Silver

Re: R80.20-R80.30 ClusterXL vlan monitoring

This would be useful if your firewall cluster is geographically diverse, and vlans get trunked across multiple switches to make the cluster work.  If a particular VLAN isn't trunked properly across the middle, Checkpoint won't recognize the problem and failover or alert on the issue.

0 Kudos
Highlighted
Admin
Admin

Re: R80.20-R80.30 ClusterXL vlan monitoring

Each interface/VLAN that is monitored requires CCP packets to be sent as part of that process.
I imagine that doing this for tens or hundreds of VLANs would cause a fair bit of overhead on the gateway.
Since a given VLAN shouldn't go down unless the physical interface goes down (taking down all VLANs), it seems sufficient to only monitor a few of them, at least as I see it.

Note on VSX with VSLS, we monitor all VLANs by default in R80.20+, but the clustering with VSX is different.
0 Kudos
Highlighted
Platinum

Re: R80.20-R80.30 ClusterXL vlan monitoring

If you want to monitor all VLANs, simply create a script which will report you successful ping of cluster member.

If ping is OK on each and every VLAN, you are green. In case some VLAN in the middle has some issue (VLAN removed from trunk on switch side), you will get no arp reply = you can consider this VLAN as dead.

Kind regards,
Jozko Mrkvicka
0 Kudos
Highlighted
Employee+
Employee+

Re: R80.20-R80.30 ClusterXL vlan monitoring

The relevant section in the ClusterXL Admin Guides was updated:

R80.30 ClusterXL Admin Guide

R80.20 ClusterXL Admin Guide

R80.10 ClusterXL Admin Guide

Highlighted
Admin
Admin

Re: R80.20-R80.30 ClusterXL vlan monitoring

Looks like we still only monitor lowest VLAN ID unless you make specific configuration changes, based on the documentation changes.
Is that correct?
0 Kudos
Employee
Employee

Re: R80.20-R80.30 ClusterXL vlan monitoring

Hi,

 

We do monitor the high & low VLANs on ClusterXL, we only monitor the lowest VLAN on VSs in the VSX platform (due to performance reasons).

You can also check the following SK:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Regards,

Guy.


Regards,

Guy Elyashiv | Group Manager – Clustering & Multitenancy
0 Kudos