Technical data

ManualsBrandsCheck Point Software Technologies ManualsNetworkingVSX-1 3070

121

122

123

124

125

126

127

128

129

130

Managing VSX Clusters

Check Point VSX Administration Guide NGX R67 | 123

Source Cluster MAC Addresses

Cluster members use CCP to communicate with each other. In order to distinguish CCP packets from

ordinary network traffic, CCP packets are given a unique source MAC address.

 The first four bytes of the source MAC address are all zero: 00.00.00.00

 The fifth byte of the source MAC address is a "magic" number, a number that encodes critical

information in a way intended to be opaque. Its value indicates its purpose:

Default Value Of Fifth Byte

Purpose

0xfe

CCP traffic

0xfd

Forwarding layer traffic

 The sixth byte is the ID of the source cluster member

When multiple clusters are connected to the same Layer-2 segment, setting a unique value to the fifth byte

of the MAC source address of each cluster allows them to coexist on the same Layer-2 segment.

Changing a Cluster's MAC Source Address

To change a cluster's MAC source address, run the following commands on each cluster

member:

fw ctl set int fwha_mac_magic <value>

fw ctl set int fwha_mac_forward_magic <value>

The default values of the parameters fwha_mac_magic and fwha_mac_forward_magic appear in the

following table:

Parameter

Default

value

fwha_mac_magic

0xfe

fwha_mac_forward_magic

0xfd

Use any value as long as the two gateway configuration parameters are different. To avoid confusion, do not

use the value 0x00.

Making the Change Permanent

You can configure the above configuration parameters to persist following reboot. For

SecurePlatform machines:

1. Use a text editor to open the file fwkern.conf, located at $FWDIR/boot/modules/.

2. Add the line Parameter=<value in hex>. Make sure there are no spaces.

Monitoring all VLANs with ClusterXL

By default, ClusterXL only monitors two VLANS for failure detection and failover. These are the highest and

lowest VLAN tags defined for a given interface.

For example, if the topology for interface eth1 includes several VLAN tags in the range of eth1.10 to eth1.50,

ClusterXL only monitors VLANs eth1.10 and eth1.50 for failure. Failures on any of the other VLANs are not

detected in the default configuration.

Note - The command line option cphaprob -a if displays the

highest and lowest VLANs being monitored.

When both the highest and lowest VLANs fail, all the VLANs are considered down, and a failover occurs.

This means that if a VLAN which is not listed as the highest or lowest goes down, the trunk is still

considered "up", and no failover occurs.

There are instances in which it would be advantageous to monitor all the VLANs in the trunk, not just the

highest and lowest, and initiate a failover when any one of the VLANs goes down.