This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Luis_Miguel_Mig
Advisor
‎2023-12-11 08:48 AM

ClusterXL VMAC question

Is it fair to say that CLUSTERXL without VMAC is still more reliable/consistent that CLUSTERXL with VMAC?
I am interested in R80.40 and R81.10 especially.

I have experience with ClusterXL with/without VMAC and automatic NATs/proxyarp in R77.20 and I never had any issue and failover with both are seamlessly. 

I like VMAC mode in theory, however I have googled it a bit and I see a number of  issues in the past related with ClusterXL and VMAC for example:

  • Cisco conversational mac learning
  • Cisco STP no edge/fast port
  • L2 routing like F5 auto last hop
  • Proxyarp and automatic nat
  • Hosts -> duplicated ips - 2macs (physical and virtual) for the same cluster ip

 

On the other side, I have never seen issues with GARPs and updating host ARP tables. VMAC may allow faster failovers but not substantially faster just microseconds.

So that is why I am more inclined for no VMAC. Any thought on it?

In case of using VMAC always with "SAME VMAC" option on, right? fwha_alter_vmac_param



0 Kudos
3 Replies
the_rock
Legend
Legend
‎2023-12-11 09:32 AM

Im so glad you asked this question. Personally, I always find that with customers, this is really dependant on what kind of switch they use. I find anyone using Aruna switches does not have any problems, but Cisco on the other side can be a different story.

All those things you listed are definitely true. CP version from what I had seen does not play significant role here.

Best regards,

Andy

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2023-12-11 10:41 AM

If you have a really large number of proxy ARP entries, sometimes the firewall doesn't flush them out consistently after failover or policy push. I have a firewall which hit this. Before enabling VMAC, a failover would take down traffic for 30+ minutes while adjacent devices relearned all the MACs. After enabling VMAC, there is no observed traffic impact from a failover.

(1)
the_rock
Legend
Legend
‎2023-12-11 10:51 AM
In response to Bob_Zimmerman

Excellent point, had customer few years ago with that issue.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events