Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RayP
Explorer
Jump to solution

Vlan over Bond

Hi,

 

We have 2 15600 appliances with ClusterXL (active/standby)

Each of the nodes configured with 2 physical interfaces as an bond1 interface.

Operation Mode: 802.3ad

Transmit Hash Policy: Layer2 and LACP Rate: Slow

On top of the bond1 interface we configured 2 vlan's.

Link status in Gaia portal of the bond interface and vlan interfaces are Up.

 

cphaprob -a if shows me:


bond1 DOWN (88312 secs) non sync(non secured), unicast, bond Load Sharing (bond1.150)
bond1 DOWN (88312 secs) non sync(non secured), unicast, bond Load Sharing (bond1.151)

My questions is, must I also configure a static IP address on the bond1 interface or only on the bond1 vlan id's?

Thanks in advance.

Regards,

 

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

Hi @RayP,

On an interface, a CCP (Cluster Conection Protocol) packet is sent every 100ms on the highest and lowest VLAN in both directions.  ClusterXL detects whether the neighboring interface can be reached. After four lost CCP packets (400ms) the cluster status goes into error mode (interface error) .

If the interface is shown as down with "cphaprob -a if ", the two VLANs do not see each other gateway interface on the network. I think you have a layer 2 (ethernet or VLAN) problem between the two gateways on the switch. The same can be said for a LACP Bond.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

(1)
5 Replies
Maarten_Sjouw
Champion
Champion

You should only configure IP's on the VLAN interfaces, not on bond1 itself.

Regards, Maarten
RayP
Explorer

Thnx for the information Maarten.

What could be the reason that the physical interfaces and the bond is Up, but the bond vlan's are still down.

Are there some bond/vlan interfacing troubleshooting cli's.

0 Kudos
Maarten_Sjouw
Champion
Champion

One of the most common problems is, that when you have multiple switches, the VLAN itself is not in the VLAN database of the switch that your gateway is connected to. Or there is allowed VLAn list on the port and it is not allowed.

It boiles down to the point that the 2 gateways just do not see each other on the VLAN's.

Regards, Maarten
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Hi @RayP,

On an interface, a CCP (Cluster Conection Protocol) packet is sent every 100ms on the highest and lowest VLAN in both directions.  ClusterXL detects whether the neighboring interface can be reached. After four lost CCP packets (400ms) the cluster status goes into error mode (interface error) .

If the interface is shown as down with "cphaprob -a if ", the two VLANs do not see each other gateway interface on the network. I think you have a layer 2 (ethernet or VLAN) problem between the two gateways on the switch. The same can be said for a LACP Bond.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
(1)
genisis__
Leader Leader
Leader

Has this every worked?

What is the switch make?

What is the switchport configuration?

Did you do a topology update and then push the configuration? (could be CCP issue)

May be worth taking a look at sk106776/sk92826 & sk121337

What version of Checkpoint are you running (it should not really matter but its worth stating version of Checkpoint and What Jumbo your running).

I have a pair of 15600s and bonded interface running a number of vlans, and as mentioned in this threat, any L3 configuration should only be made on the logical interface, and not on the bond.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events