This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jake_Stafeyev
Explorer
‎2018-11-22 05:26 AM

Question about ClusterXL on a "trunk" port (cphaprob -a if command output)

When I have an ClusterXL interface with VLANs on it, the ClusterXL feature examines only the status of the first and the last VLAN.

A. Is it correct?

B. Why?

C. If I had status change for the first VLAN only (observed on SmartViewTracker), is it enough to change the entire ClusterXL untis status (Main / Secondary)?

D. If I had status change for the first VLAN only (observed on SmartViewTracker), should the last VLAN status change appear in the SmartView Tracker as well?

2 Replies
Maarten_Sjouw
Champion
Champion
‎2018-11-22 02:10 PM

A. Yes

B. Who knows, VRRP does not have this limitation, but it can also be turned on to monitor all VLAN's

C. Any interface, VLAN or physical, failing should trigger a failover. In VRRP you define the delta and the priority of each member and as soon as 1 interface goes down, VLAN or physical, it will lower the priority with it's delta, when this causes the priority to become lower than the other member it will fail over. ClusterXL will just put the member with a failing VLAN or physical interface, into a problem state, the member not being in problem state will then become active.

D. I can have someone mess up the switchport the FW is connected to and accidentally delete the VLAN from the trunk, what does the last VLAN then have to do with the first? Each and every interface, VLAN or physical, should be handled as a separate point to be checked for health of the cluster.

Specially when you're running VSX systems with big (10Gb) trunk interfaces with 20 or more VLAN's on it you really need to be sure that all those VLAN's are alive. The first 3 VLANs might be in use on VS1 the next 5 on VS2 etc. Now when the 6th VLAN fails for whatever reason, I will not be noticed unless I change the setting fwha_monitor_all_vlan=1 (fwkern.conf parameter) that all VLAN's need to be monitored.

Regards, Maarten
_Val_
Admin
Admin
‎2018-11-22 11:51 PM

B: because CCP is noisy, and with lots on VLANs on the trunk you will have too many probing packets going in and out. Monitoring the highest and lowest VLANs is a reasonable and economical way to make sure physical trunk is okay. In case you need to do that on EVERY VLAN, there is a kernel parameter you could change. NOT recommended.