Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CyberBreaker
Contributor

ClusterXL SG Bridge Mode Connection

Hi Guys,

I have 2 new security gateways in VSX bridge mode in clusterXL, these security gateways are connected to a stacked switch (1 gateway to 1 switch physical connection). My concern is that since the gateways are not running in L3 mode, the stacked switch is not pointing to a VIP to route the traffic and it is prone that the switch will pass the traffic to the standby firewall hence it will drop the traffic.

Is this how the CP behaves or are there any ways to prevent it?

Thank you very much.

0 Kudos
7 Replies
Maarten_Sjouw
Champion
Champion

With VSX only 1 gateway is handling the specific VS, so there will not be any information on the other switch about MAC addresses on the other side of the bridge.
Regards, Maarten
0 Kudos
CyberBreaker
Contributor

Hi @Maarten_Sjouw , 

I understand that part but still I am still confused since the switch that is connecting to the gateways is a stacked switch both of the switch is  in active/active and each switch is connected to a security gateway (1 switch to 1 gateway physical connection).

In this scenario, there will be a possibility that the switch will send the traffic to the gateway which is the standby.

Let us say the active firewall for my VS1 is FW01 and FW02 is the standby, my stacked switch which has a physical connection of 1 switch to 1 gateway and both of my switch forwarding traffic, there is now a possibility that my FW02 can receive traffic but FW02 is the standby state.

Thank you for the help.

0 Kudos
Maarten_Sjouw
Champion
Champion

Each switch builds its MAC table per port. When the VS is not active on member 2 it will not tell Switch2 any MAC addresses. So again Switch2 does not know about these addresses and will not forward anything for those addresses to your FW02.
Regards, Maarten
0 Kudos
CyberBreaker
Contributor

Hi @Maarten_Sjouw 

Thanks for the clarification about that, so this is also applicable for modes of deployment either L3 or bridge mode?

Thanks

0 Kudos
Maarten_Sjouw
Champion
Champion

Also in L3 the VS is only active on 1 of the 2 FW's not on the other.
Regards, Maarten
0 Kudos
CyberBreaker
Contributor

Hi @Maarten_Sjouw ,

But it should be the same if in bridge mode right? 

A VS can be active in only 1 FW in ClusterXL?

Thanks

0 Kudos
Maarten_Sjouw
Champion
Champion

As I already said a VS can only be active on 1 FW it will not do anything on the other FW except for keeping the connection table up to date.
It is not active in either mode on the Backup FW.
Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events