This guide will answer some of the problems/questions related to Promiscuous Mode when running a cOS Core High Availability cluster in a VMware environment.
HA Cluster problem symptoms
- HA cluster does not synchronize properly in the virtual environment.
- HA cluster have problems: the active node does not work properly, but the inactive does.
- HA cluster have problems: The shared IP is not accessible.
The virtual switch connecting the interfaces must be set in “Promiscuous Mode”. It’s a setting for the entire switch’s behaviour, not per port.
More information about setting up cOS Core under VMware can be found in the Getting Started Guide for VMware found in the following location : https://docs.clavister.com/products/netwall/
If we set the vSwitch to Promiscuous mode it may be a potential security issue as that turns the vSwitch into a hub. All computers connected to the vSwitch can see all traffic passing through it.
Correct, but there is a way to solve this, at least in ESXi. This is how to do it.
- Create a the vSwitch which is supposed to connect e.g. the LAN ports of the Master and Slave and the Workstations on your LAN. It will automatically add a "Virtual Machine Port Group" which will inherit the settings from the vSwitch.
- Set the vSwitch to Promiscuous Mode:
- Select the vSwitch, click Edit, go to the Security tab, set Promiscuous mode to Accept.
- Connect the Clavister Master and Slave devices directly to the vSwitch.
- Add one more Virtual Machine Port Group to the vSwitch:
- - Give it a unique Network Label and finish the guide
- - Select the new VM Port Group and click Edit...
- - On the Security Tab, enable the Promiscuous mode checkbox and set it to Reject mode.
- Connect all workstations to the newly added VM Port Group instead of directly to the switch.
The end result is that the HA members can work in Promiscuous mode and the workstations are working in switched mode. It will then look something like this:
Edu1_CP = Master node, there is no slave node at this stage.
Edu1_XP and Edu2_XP = The workstations.
LAN1 is the VM Port Group leading to the HA node(s).
VM Network is the VM Port Group leading to the workstation(s).
It’s equivalent if you enable Promiscuous mode on “LAN1” above and leave it off on the switch.
23 Aug, 2022 core ha cluster
23 Aug, 2022 vmware log ha rarp arp core
31 Mar, 2022 incontrol core netcon netwall ha cluster coscore
31 May, 2021 hardware ha e80a e80b
20 Feb, 2023 ha core idp cli cluster antivirus configuration
17 Feb, 2023 core ha cluster transparentmode l2tpv3
21 Jun, 2022 core ha hacluster netwall coscore slb
23 Feb, 2023 core troubleshoot cluster ha