Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jose_Rivera
Participant

ClusterXL - BFD (Bidirectional Forwarding Detection)

We have tried to enable BFD support between a Cluster (ClusterXL) and a ThirdParty.

While this seems to work well for non-clusters, when setup on a cluster, it is using the physical IP for the active cluster member instead of the VIP. The third party has our VIP defined on their side.

Does anyone know how to force BFD to use the VIP configured on a clustered gateway? 

The gateway are currently running R80.20 with plans to upgrade to R80.30 by months end.

 

0 Kudos
5 Replies
Jelle_Hazenberg
Collaborator
Collaborator

Hi,

 

I am not sure, but...

 

As the admin guide for R80.30 describes, i don't think you cannot configure the VIP for this. The admin guide describes the following:

 

From R80.20, the Gaia OS supports Bidirectional Forwarding Detection (BFD). See RFC 5880 and RFC 5881 for more information.

In a ClusterXL High Availability mode, only the Active member sends and accepts BFD packets.

ClusterXL Standby cluster members do not send or accept BFD packets. They treat all their peer cluster members as reachable.

 

Regards,

 

Jelle

Brian_Deutmeyer
Collaborator

Make sure you don't have a "no NAT rule" in place on NAT policy.   Another option is to add a rule at the top of NAT policy that says:
Original Source: <group_of_firewall_physical_IPs>
Original Destination: <network_or_IPs_of_BFD_peers>
Original Service: <bfd_service>

Translated Source: <new_node_object_of_cluster_IP>
Translated Destination: Original
Translated Service: Original

This rule will ensure the BFD traffic get hidden behind the cluster.  You may need to remove the old connection once the NAT is in place.  BFD is working on my physical clusters.

Sanjay_S
Advisor

Hi All,

So this works perfectly with VSX cluster is it? As it will have only one IP for all the cluster members?

0 Kudos
Brian_Deutmeyer
Collaborator

Correct.  You just put in your peers on the firewall to monitor.  The peers need to configure the HA (single) IP of the firewall.  Only the active member will speak BFD, but you need to configure both sides for failover.

0 Kudos
Sanjay_S
Advisor

Thank you Brain, will replicate the config in all the VSX cluster members for failover and as suggested this is the single IP and VSX has one IP we will try to implement and see the outcome.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events