[kaldek]

Clustering with VLANs does work - since R55 I believe. The way it works is somewhat "poorly documented", but it's actually not too bad.

The ClusterXL developers were smart enough to realise that when using VLANs, your physical interface might stay up, but it's possible for the switch to stop forwarding VLAN tagged packets. In that situation you could find that ClusterXL stayed active since the physical port was up but the firewall was effectively broken because packets could not be sent or received on a tagged VLAN interface.

What ClusterXL does to counter this is monitor the lowest-numbered VLAN attached to an interface, and send gratuitous ARP requests to all possible IP addresses in that VLAN until it gets a response. It then also tries to send an ICMP ping packet to the first host that it finds; if a response comes back the VLAN interface is considered "up".

For example, if you had a firewall with interfaces eth6.400 and eth6.401, ClusterXL will monitor interface eth6.400 (since it's the lowest numbered VLAN), and begin to send an ARP flood to the entire IP subnet of that VLAN. Once it finds someone and they respond, ClusterXL goes into "Active" state.

Note that other cluster members are good enough - their ARP requests will find each other and consider the VLAN up since Node A would see Node B and vice versa.