https://community.checkpoint.com/t5/Firewall-and-Security-Management/bond-across-different-interface-modules/m-p/54584#M12640 <P>I'm setting up a new 23900 appliance cluster.&nbsp; It has a 2-port 10G card as well as a 4-port 10G card.&nbsp; I'd like to setup 2 bond interfaces (internal / external) with 2 10G ports in each bond.&nbsp; My initial thought is to use a 10G port from each interface card for the bond.&nbsp; That way the FW can survive an interface card failure.</P><P>Is there any reason not to do so?&nbsp; I'm thinking from a hardware / performance perspective.&nbsp;&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/597">@Timothy_Hall</a>, are there any SecureXL / CoreXL considerations around this?&nbsp; Would it be better to split the bonds across interface cards, keep them both on the 4-port card, or doesn't it really matter?</P> Tue, 28 May 2019 16:49:46 GMT phlrnnr 2019-05-28T16:49:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/bond-across-different-interface-modules/m-p/54584#M12640 <P>I'm setting up a new 23900 appliance cluster.&nbsp; It has a 2-port 10G card as well as a 4-port 10G card.&nbsp; I'd like to setup 2 bond interfaces (internal / external) with 2 10G ports in each bond.&nbsp; My initial thought is to use a 10G port from each interface card for the bond.&nbsp; That way the FW can survive an interface card failure.</P><P>Is there any reason not to do so?&nbsp; I'm thinking from a hardware / performance perspective.&nbsp;&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/597">@Timothy_Hall</a>, are there any SecureXL / CoreXL considerations around this?&nbsp; Would it be better to split the bonds across interface cards, keep them both on the 4-port card, or doesn't it really matter?</P> Tue, 28 May 2019 16:49:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/bond-across-different-interface-modules/m-p/54584#M12640 phlrnnr 2019-05-28T16:49:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/bond-across-different-interface-modules/m-p/54589#M12641 <P>No direct SecureXL/CoreXL considerations as they don't really care where a NIC is physically located in a chassis; the only other factor would be how the two NIC ports in different slots are connected to each other on the bus/backplane, and whether this will really matter depends heavily on the hardware architecture.&nbsp; The only real references to this are located in <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk98348" target="_self">sk98348</A> which says:</P> <P>&nbsp;</P> <UL> <LI>If you are using a motherboard with multiple PCI or PCI-X buses, make sure that each Network Interface Card is installed in a slot connected to a <STRONG>different</STRONG> bus.</LI> <LI>If you are using more than two Network Interface Cards in a system with only two 64-bit/66Mhz PCI buses, make sure that the least-used cards are installed in slots connected to the same bus</LI> </UL> <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/21670">@HeikoAnkenbrand</a> put together a pretty interesting page on the Intel processor architecture at the link below, might be interesting to see if he has any opinion on this.</P> <P><A href="https://community.checkpoint.com/t5/General-Management-Topics/New-R80-x-Performance-Tuning-Intel-Hardware/m-p/48697" target="_blank">https://community.checkpoint.com/t5/General-Management-Topics/New-R80-x-Performance-Tuning-Intel-Hardware/m-p/48697</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 28 May 2019 17:04:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/bond-across-different-interface-modules/m-p/54589#M12641 Timothy_Hall 2019-05-28T17:04:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/bond-across-different-interface-modules/m-p/54603#M12642 <P>&nbsp;</P> <P>Thanks <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/597">@Timothy_Hall</a>&nbsp;</P> <P>As Timothy described it, I wrote an article about Intel hardware.</P> <P>We think a little bit about Intel Skylake platform architecture. In recent years I have read many books and internet informations about outdated information about network cards and packet processing. Therefore I took a closer look at a modern Intel architecture. Furthermore it is interesting to see how Linux can be used with these new technologies (MSI-X, PCIe, DMA, multi queueing and some more.</P> <P>More see here:</P> <P><A href="https://community.checkpoint.com/t5/General-Management-Topics/New-R80-x-Performance-Tuning-Intel-Hardware/m-p/48697/highlight/true#M8306" target="_self">R80.x Performance Tuning – Intel Hardware</A></P> Tue, 28 May 2019 20:06:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/bond-across-different-interface-modules/m-p/54603#M12642 HeikoAnkenbrand 2019-05-28T20:06:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/bond-across-different-interface-modules/m-p/54680#M12643 <P>Can I assume the 23900 and 6800 appliances follow these recommendations / best practices that you mentioned when 2 different slots are used for 10G NIC interface cards?</P><UL><LI>If you are using a motherboard with multiple PCI or PCI-X buses, make sure that each Network Interface Card is installed in a slot connected to a<SPAN>&nbsp;</SPAN><STRONG>different</STRONG><SPAN>&nbsp;</SPAN>bus.</LI><LI>If you are using more than two Network Interface Cards in a system with only two 64-bit/66Mhz PCI buses, make sure that the least-used cards are installed in slots connected to the same bus</LI></UL> Wed, 29 May 2019 16:50:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/bond-across-different-interface-modules/m-p/54680#M12643 phlrnnr 2019-05-29T16:50:18Z