topic Re: Bond recommendations in Firewall and Security Management

Bond recommendations

Igor_Simovski — Tue, 18 Dec 2018 07:59:54 GMT

Hello all,

Could you please advise me regarding BOND interface. Current situation is that we have SYNC link and we want to place it into the bond for all the benefits there are. Now i saw properly here, there can not be two SYNC interfaces inside the bond, so what are the best practices/recommendation regarding this. Here is precise question from technical staff that is suggesting this:

The issue is, for now it’s a single access interface.

As this is not redundant, we’d like to go to a bonded interface (a port-channel on the switch) of 2 physical connections.

For that we’d like to first create a new SYNC-interface already in bond and connect it.

Fail over the sync to the new one and add the original one to the bond.

Many thanks for any advice! 🙂

KR,

Igor

Re: Bond recommendations

AlekseiShelepov — Tue, 18 Dec 2018 08:33:38 GMT

There cannot be two Sync interfaces defined in topology of a cluster object. Well, at least this is not supported for some time and can cause some strange behaviour of the cluster. But I didn't try it for a long time.

I would suggest to do it in a very straightforward way during a maintenance window:

make sure that cluster wouldn't failover during the operation (clusterXL_admin down on standby member for example)
connect new cable to physical interfaces
create new bond interface, put there interface with newly connected cable
change topology in Dashboard - just the name of sync interface (for example eth7 -> bond0)
remove settings from old sync interface, add it to the new bond, configure the same IPs on bond
install policy
check clustering status, check synchronisation (and clusterXL_admin up, if required)

Re: Bond recommendations

Igor_Simovski — Tue, 18 Dec 2018 14:42:45 GMT

Many thanks for reply, i have one more doubt. We want to set it up in Load Sharing (Active/Active) mode. For instance if we create 2 bonds on device, only one SYNC may be configured per both bond?

Thanks.

Re: Bond recommendations

AlekseiShelepov — Tue, 18 Dec 2018 17:29:58 GMT

You can read about officially recommended settings here: Sync Redundancy in ClusterXL

In order to implement Sync Redundancy, configure several physical interfaces as a Bond interface - in High Availability (Active/Backup) mode, or Load Sharing (Active/Active) mode - and then configure the dedicated Synchronization Network over this single Bond interface.
802.3ad is the recommended Bond mode
When using Sync over Bond in HA mode (Active-Backup), slave interfaces must be added in the same order on all cluster members.

There is also a situation described, when it might be required to do cpstop;cpstart after the migration.

But also notice Only one of the two physical slave interfaces in 802.3ad Load Sharing Bond handles most of the traffic.

I don't understand what you mean by the second part - "for instance if we create 2 bonds on device, only one SYNC may be configured per both bond".

Bond interface is a logical one, it includes several physical interfaces. So you would have several physical interfaces with load sharing inside bond and in Dashborad you would have only bond interface configured as 1st Sync.

Re: Bond recommendations

Igor_Simovski — Wed, 09 Jan 2019 11:26:16 GMT

Hello Aleksei,

This is the plan network guys provided us, could you please see if this approach makes sense:

We have 2 CP in one DC and 2 CP in other DC - Active/Passive deployment. Currently sync link is on a sync interface (Sync interface and Switch port 1/0/42), and it is planned to introduce additional interface in Bond :

#1 Connect the cables upfront - interface in shut

#2 Move all the VSXs to one DC (Data Center).

#3 Configure interface eth - 2/07 on CP as a bonded interface;

#4 Remove/Shut settings from old Sync:

#5 Enable/Unshut eth - 2/07 (on CP) and eth 2/0/42 (on Switch);

#6 Check if interfaces and port-channel (Bond) come up;

#7 Reconfigure Sync and 1/0/42

#8 Check bond is up with 2 interfaces

#9 Sync the firewall

Does it make sense was how to perform the backup before this intervention, VSX or complete backup?

Many thanks,