topic Re: Can you have a cluster, but 1 of them with a lacp bundle to the LAN in Firewall and Security Management https://community.checkpoint.com/t5/Firewall-and-Security-Management/Can-you-have-a-cluster-but-1-of-them-with-a-lacp-bundle-to-the/m-p/108793#M14733 <P>Absolutely. There are a few ways to do this.</P> <P>You can add the interface as non-clustered. This&nbsp;<EM>probably</EM> isn't what you want to do, but I mention it because it is possible. Cluster members can have "non-monitored private" interfaces which are unique to the member.</P> <P>You can also make a clustered interface as long as both firewalls see it as a bond. Bonds can be composed of a single interface, and the member with only one interface in the bond can do "round robin" with a single bonded interface. That will cause it to do no special negotiation on the interface (specifically, no LACP), it will just send traffic out directly. I deploy some of my firewalls' interfaces as single-member bonds simply because it makes it so easy to rearrange the traffic on the physical interfaces.</P> <P>&nbsp;</P> <P>If you are particularly unaverse to risk, you can also run a cluster interface with differently-named interfaces on the different members (bond0 on one member, eth7 on the other). This is allowed by the UI and should work, but I guarantee it hasn't been tested to the degree I would feel even remotely comfortable using in production.</P> Mon, 25 Jan 2021 19:19:15 GMT Bob_Zimmerman 2021-01-25T19:19:15Z Can you have a cluster, but 1 of them with a lacp bundle to the LAN https://community.checkpoint.com/t5/Firewall-and-Security-Management/Can-you-have-a-cluster-but-1-of-them-with-a-lacp-bundle-to-the/m-p/108734#M14711 <P>Hi All,</P><P>Is it possible to have a checkpoint firewall cluster, but on one of them have 2 ports connected to the LAN running LACP and the other firewall 2 would have a single interface not running LACP?</P><P>Cheers</P> Mon, 25 Jan 2021 08:51:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Can-you-have-a-cluster-but-1-of-them-with-a-lacp-bundle-to-the/m-p/108734#M14711 carl_t 2021-01-25T08:51:03Z Re: Can you have a cluster, but 1 of them with a lacp bundle to the LAN https://community.checkpoint.com/t5/Firewall-and-Security-Management/Can-you-have-a-cluster-but-1-of-them-with-a-lacp-bundle-to-the/m-p/108744#M14718 <P>According to the R80.40 ClusterXL Admin Guide this is not supported: All Cluster Members must run on identically configured hardware platforms.</P> Mon, 25 Jan 2021 10:40:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Can-you-have-a-cluster-but-1-of-them-with-a-lacp-bundle-to-the/m-p/108744#M14718 G_W_Albrecht 2021-01-25T10:40:44Z Re: Can you have a cluster, but 1 of them with a lacp bundle to the LAN https://community.checkpoint.com/t5/Firewall-and-Security-Management/Can-you-have-a-cluster-but-1-of-them-with-a-lacp-bundle-to-the/m-p/108767#M14725 <P>Out of interest why can't you run LACP at one of the sites?&nbsp;</P> <P>It should be possible to form a bond even to a single switch.</P> Mon, 25 Jan 2021 15:24:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Can-you-have-a-cluster-but-1-of-them-with-a-lacp-bundle-to-the/m-p/108767#M14725 Chris_Atkinson 2021-01-25T15:24:17Z Re: Can you have a cluster, but 1 of them with a lacp bundle to the LAN https://community.checkpoint.com/t5/Firewall-and-Security-Management/Can-you-have-a-cluster-but-1-of-them-with-a-lacp-bundle-to-the/m-p/108777#M14727 <P>We can, It just means an outage window thats all.</P><P>Cheers</P> Mon, 25 Jan 2021 16:19:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Can-you-have-a-cluster-but-1-of-them-with-a-lacp-bundle-to-the/m-p/108777#M14727 carl_t 2021-01-25T16:19:23Z Re: Can you have a cluster, but 1 of them with a lacp bundle to the LAN https://community.checkpoint.com/t5/Firewall-and-Security-Management/Can-you-have-a-cluster-but-1-of-them-with-a-lacp-bundle-to-the/m-p/108793#M14733 <P>Absolutely. There are a few ways to do this.</P> <P>You can add the interface as non-clustered. This&nbsp;<EM>probably</EM> isn't what you want to do, but I mention it because it is possible. Cluster members can have "non-monitored private" interfaces which are unique to the member.</P> <P>You can also make a clustered interface as long as both firewalls see it as a bond. Bonds can be composed of a single interface, and the member with only one interface in the bond can do "round robin" with a single bonded interface. That will cause it to do no special negotiation on the interface (specifically, no LACP), it will just send traffic out directly. I deploy some of my firewalls' interfaces as single-member bonds simply because it makes it so easy to rearrange the traffic on the physical interfaces.</P> <P>&nbsp;</P> <P>If you are particularly unaverse to risk, you can also run a cluster interface with differently-named interfaces on the different members (bond0 on one member, eth7 on the other). This is allowed by the UI and should work, but I guarantee it hasn't been tested to the degree I would feel even remotely comfortable using in production.</P> Mon, 25 Jan 2021 19:19:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Can-you-have-a-cluster-but-1-of-them-with-a-lacp-bundle-to-the/m-p/108793#M14733 Bob_Zimmerman 2021-01-25T19:19:15Z