ClusterXL and VLANS

[luisrocha]

Hi,
Anyone had used ClusterXL with Vlans in SPLAT ?

I have tried to setup
2 SunX4200 (X86) with SPLAT R65 ED (Early Deployment)
Switch Enterasys MatrixN7
ClusterXL - LoadSharing Unicast

Everithing configured, but i have some questions regarding this type of configuration

Setting up the Vlans, must i configure a IP adreess to the physical interface associated with the VLANs ? If yes, how must it be configured in the topology ? using Monitored Private ?

In SmartViewMonitor i just see the physical interface and the IP address of the VLan with the lowest Tag ID....

The output of the cphaprob -a if, shows something like this:

Eth5 (eth5.4 ) Multicast

Virtual Interfaces
..
Eth5.4 172.20.xx.x
eth 5.5 141.x.x.x

As you can see, in the physical interfaces it just shows 1 vlans.




Strange things were:
Having the interfaces Partially UP ????

The Interfaces of one of the Vlans did not respond to ARP Requests, i have tried almost everithing, but never responding to ARP request to the Cluster and Interface IP.



Any opinions ?

Thanks.

[chillyjim]

Quote:

Originally Posted by luisrocha

Hi,
Anyone had used ClusterXL with Vlans in SPLAT ?

Do it all the time. Works well.

Quote:

I have tried to setup
2 SunX4200 (X86) with SPLAT R65 ED (Early Deployment)

Why are you not using the GA release? Its been out for 8 months.

Quote:

Setting up the Vlans, must i configure a IP adreess to the physical interface associated with the VLANs ? If yes, how must it be configured in the topology ? using Monitored Private ?

No you do not and should not.

Quote:

In SmartViewMonitor i just see the physical interface and the IP address of the VLan with the lowest Tag ID....

This is correct. By default only the lowest numbered VLAN is monitored.

Quote:

Strange things were:
Having the interfaces Partially UP ????

The Interfaces of one of the Vlans did not respond to ARP Requests, i have tried almost everithing, but never responding to ARP request to the Cluster and Interface IP.



Any opinions ?

Thanks.

If you take the interface out of the cluster config, does it work?

With any cluster, you really should make sure all the interfaces work on the gateway before you create the cluster.

[luisrocha]

A strange this was, the cphaprob stat beforing adding a IP address to the physycal addreess were Vlans are assigned were showing 100% 0% - Active - Down; and when have add an arbitrary ip to the physycal address in splat and in the topology with network objective monitored private, it as shown me 70% 30% as supposed.

Have you any special configuration on the Switches ?

Regards

[chillyjim]

Sounds like it's something with the switches you are using. I know the product is QA'ed to Cisco and Nortel, don't know about anyone else.

If you have a support contract open up a call and if they don't come back with anything useful ask for them to escalate it and offer a switch for testing. Also get your Check Point SE involved. The folks in Israel will try to make it work, it might take some time, but they do try.

[luisrocha]

Problem solved, it was related with the method for cluster XL to comute the pivot member in the interface that receives the trunk.

I have a Cluster XL in LS Unicast with Vlans Tagging, im using a SPLAT ED because it was provided by checkpoint to support the hardware im using SUN AMD X4200 M2.

But the problem was related, with the network segment of the vlan with the lowest tag ID. When i was testing the failover on the interface that receives the trunk in the pivot member, when a failover occurs, the the second member before assuming control it will do a ICMP Probe to all network segment of the network in the lowest vlan id, if no live hosts detected, the second member assumes there is failure with him too and what occurs is the Pivot member stays UP and the second member goes down.

This behavior is explained in the following SK article:
Failover malfunctions using ClusterXL with VLANs
Solution ID: #sk25813

Regards,
Luis Rocha

[fdamstra]

A couple things to add, as well as some questions...

Quote:

Originally Posted by luisrocha

Hi,
Anyone had used ClusterXL with Vlans in SPLAT ?

I imagine this is common. As our network has grown, we initially just used unused interfaces, as we realized we were running out of them, we started adding VLAN's. At this point, we wish we'd known more about VLAN's earlier in our growth, as we've really wasted a lot of physical interface on networks segments with low traffic.

Quote:

Setting up the Vlans, must i configure a IP adreess to the physical interface associated with the VLANs ? If yes, how must it be configured in the topology ? using Monitored Private ?

Well, we are doing this, but our pivot is spamming /var/log/messages with warnings. It works, but we're getting more out-of-state messages than we think we should be, and the warnings in /var/log/messages are disconcerting, at least.

After 6 weeks of having a ticket about the warnings, they finally came back with "remove the IP's from the physical interface, and only use IP's on the subinterfaces." That's a pretty big project with some pretty big implications, so we're working on it, but I agree with chillyjim, the proper way is to have no IP assigned on the physical interface, and to only use subinterfaces.

They said to make the physical interface "monitored private". I'm not sure how this will work when there's no IP assigned, but I'm going to find out in just over a week.

Quote:

In SmartViewMonitor i just see the physical interface and the IP address of the VLan with the lowest Tag ID....

If this is how it works when no IP is assigned to the physical interface, I'll be quite happy.