cOS Core HA clusters in VMware with Promiscuous Mode

Last modified on 4 Apr, 2023. Revision 7
This short Q&A goes through some of the details related to Promiscuous Mode with cOS Core High Availability clusters running in a VMware environment.
Up to date for
cOS Core 10.00.xx
Supported since
cOS Core 9.00.xx
Status OK

Introduction

This guide will answer some of the problems/questions related to Promiscuous Mode when running a cOS Core High Availability cluster in a VMware environment.

HA Cluster problem symptoms

  • HA cluster does not synchronize properly in the virtual environment.
  • HA cluster have problems: the active node does not work properly, but the inactive does.
  • HA cluster have problems: The shared IP is not accessible.

Probable cause

The virtual switch connecting the interfaces must be set in “Promiscuous Mode”. It’s a setting for the entire switch’s behaviour, not per port.

More information about setting up cOS Core under VMware can be found in the Getting Started Guide for VMware found in the following location : https://docs.clavister.com/products/netwall/

Question

If we set the vSwitch to Promiscuous mode it may be a potential security issue as that turns the vSwitch into a hub. All computers connected to the vSwitch can see all traffic passing through it.

Answer

Correct, but there is a way to solve this, at least in ESXi. This is how to do it.

  1. Create a the vSwitch which is supposed to connect e.g. the LAN ports of the Master and Slave and the Workstations on your LAN. It will automatically add a "Virtual Machine Port Group" which will inherit the settings from the vSwitch.
  2. Set the vSwitch to Promiscuous Mode:
    1. Select the vSwitch, click Edit, go to the Security tab, set Promiscuous mode to Accept.
  3. Connect the Clavister Master and Slave devices directly to the vSwitch.
  4. Add one more Virtual Machine Port Group to the vSwitch:
    1. - Give it a unique Network Label and finish the guide
    2. - Select the new VM Port Group and click Edit...
    3. - On the Security Tab, enable the Promiscuous mode checkbox and set it to Reject mode.
  5. Connect all workstations to the newly added VM Port Group instead of directly to the switch.


The end result is that the HA members can work in Promiscuous mode and the workstations are working in switched mode. It will then look something like this:

Edu1_CP = Master node, there is no slave node at this stage.
Edu1_XP and Edu2_XP = The workstations.
LAN1 is the VM Port Group leading to the HA node(s).
VM Network is the VM Port Group leading to the workstation(s).

It’s equivalent if you enable Promiscuous mode on “LAN1” above and leave it off on the switch.



Related articles

Adjusting advanced cluster settings on larger installations
23 Aug, 2022 core ha cluster
HA: disallowed_on_sync_iface log events with rule=HA_RestrictSyncIf for Reverse ARP, RARP, and IGMP
23 Aug, 2022 vmware log ha rarp arp core
Device initiated InControl management of NetWall HA clusters with a single public IP
31 Mar, 2022 incontrol core netcon netwall ha cluster coscore
Differences between the NetWall E80A and E80B
31 May, 2021 hardware ha e80a e80b
Avoiding cOS Core HA interruptions during configuration deployment
20 Feb, 2023 ha core idp cli cluster antivirus configuration
Transparent mode & L2TPv3 unavailable in cOS Core HA clusters
17 Feb, 2023 core ha cluster transparentmode l2tpv3
Managing NetWall HA clusters over the Internet using one public IP
21 Jun, 2022 core ha hacluster netwall coscore slb
cOS Core High Availability Cluster troubleshooting
23 Feb, 2023 core troubleshoot cluster ha



Tagscorevmwarehighavailabilityhapromiscuous