topic Re: HA clusterXL with Bond interfaces with Cisco switch in General Topics

HA clusterXL with Bond interfaces with Cisco switch

Luis_Filipe — Fri, 10 May 2019 08:44:35 GMT

Hello,

I have a topology with 2 checkpoints in ClusterXL HA mode, and 2 switches Cisco.

I want to connect 2 interfaces for each gateway and perform an ether channel between them (checkpoint-switch).

This is possible?

Thanks in advance

Re: HA clusterXL with Bond interfaces with Cisco switch

Wolfgang — Fri, 10 May 2019 11:34:39 GMT

Luis,

yes that's possible.

You have to build one bond interface on one CheckPoint appliance and connect the interfaces of these bond to each CISCO-switch.

I would prefer to use LACP as BOND protocol. To create a BOND spanning over both switches they must be member of the same stack or they need something like vPC.

You can't create a bond over two separate switches.

Without having vPC or stack you can configure the BOND on the CheckPoint appliances as HA (active-backup). But with this you can't do LoadSharing and the passive interface is only used if the active link goes down. With a bond like this you don't need a BOND configuration on the switches.

In the "Gaia R80.20 Administration Guide" you'll find a detailled description how to configure BONDs, chapter "Bond Interfaces (Link Aggregation)"

Wolfgang

Re: HA clusterXL with Bond interfaces with Cisco switch

Maarten_Sjouw — Fri, 10 May 2019 13:08:42 GMT

The issue here is that when you want to use a bond from one cluster member to both switches (port eth2 to swi-1 and port eth3 to switch-2, those switches need to be connected with a stack module then you can use LACP otherwise you need to use active/backup. On the switch side you cannot create a portchannel when the switches are not in a stack.
When you connect fw1 both eth2 and eth3 to switch-1 and fw2 eth2 and eth3 to switch-2 then you can have port channels on the switches.

Re: HA clusterXL with Bond interfaces with Cisco switch

Jerry — Fri, 10 May 2019 13:42:56 GMT

simply LACP L2 Fast and off you go 🙂 not really complicated task though.

Re: HA clusterXL with Bond interfaces with Cisco switch

Sven_Glock — Fri, 10 May 2019 16:30:38 GMT

I can recommend to avoid L2 LACP. When having for example a proxy behind the switch all traffic that comes from the proxy will pass via the same link to the firewall.

This can cause disbalanced links within the bond. Try to use L3/4 LACP, but this needs software support on the affected switch.

On firewall side you have to configure xmit-hash-policy layer3+4.

Regards

Sven

Re: HA clusterXL with Bond interfaces with Cisco switch

Jerry — Fri, 10 May 2019 19:02:35 GMT

hi Sven

proxy wasn't mentioned at all by the original post hence my advise on L2 LACP.

I completely second your advise when it comes to the proxying any traffic indeed, but that is a matter of a proper design on application level as you've already wrote.

In any case the question is not an easy one to answer, there are dependencies to consider as well as consequences of the decisions which definitely need to be taken into the account.

Re: HA clusterXL with Bond interfaces with Cisco switch

Sven_Glock — Sun, 12 May 2019 08:50:10 GMT

Jerry, you are absolutly right.

My advaice was just a general hint not based on the specific problems of Luis.