cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Link aggregation on VMWare ESXi vSwitch or bond interfaces on Check Point GW?

Hello,

currently we are implementing Check Point vSEC GW hosted on ESXi host with 2x10G interfaces to Internet and 2x 10G interfaces to LAN. We would like to bond the interfaces for load balancing, however I don't know if we should do the aggregation on VMWare layer in vSwitch or I should create 2 interfaces to Check Point GW VM and bond them there together. What do you think would give us better throughput? Thanks for suggestions. 

We will be using VMXNET 3 as driver for 10G vNICs. 

7 Replies
Vladimir
Pearl

Re: Link aggregation on VMWare ESXi vSwitch or bond interfaces on Check Point GW?

Speaking strictly from point of view of Gaia interface:

  

The link speed increment is not defined by the user. So if you'll perform port aggregation in VMware, the Gaia may still default to a single interface speed.

It stands to reason that you may want to present both interfaces as separate entities and perform aggregation in the bond on Gaia.

I am uncertain how the LACP will act with ESXi's virtual switch though. It is possible that you may have to tinker with the promiscuous mode settings on the port group assigned to carry this traffic.

Timothy Hall could probably chime in on this subject. 

Re: Link aggregation on VMWare ESXi vSwitch or bond interfaces on Check Point GW?

I'd probably create the bond in VMWare so that it is as close as possible to whatever switch it is attached to (so that the 802.3ad is handled outside Gaia), then present a single interface to Gaia.  I don't think it will matter much either way, but would be interesting to try both ways and run some iperf tests to compare.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: Link aggregation on VMWare ESXi vSwitch or bond interfaces on Check Point GW?

I am not sure, but I think you don't need LACP on virtual system. You have to create vSwitch included 2 NIC interface on vmware.

Link Aggregation and Clusters

0 Kudos

Re: Link aggregation on VMWare ESXi vSwitch or bond interfaces on Check Point GW?

Hi, just a quick update.

As we don't have a Cisco switch on the other side, our guys from server teams told us that the setting up correct load balancing would be issue, as VMWare recommends using static Etherchannel configuration. We tried to put separate vNICs to Check Point and handle LACP there, however when the vNIC are through vSwitch (each vNIC has it's own vSwitch) we couldn't get the LACP to create bond from Check Point on switch. 

We have used Pass-through on 10Gbit interface directly to Check Point and created a bond inside Check Point. LACP was sucessfully create and now it shows as 20Gbit interface on switch.

Jerry
Platinum

Re: Link aggregation on VMWare ESXi vSwitch or bond interfaces on Check Point GW?

got the same with no need of LACP on the switch side (vSwitch). 2 interfaces on GAIA works perfectly find as a BOND with LACP type. It isn't complicated when the GAIA is 80.10 though Smiley Happy it was on 77.30 if I remember correclty but luckily this isn't the case here as well.

Jerry
0 Kudos
Vladimir
Pearl

Re: Link aggregation on VMWare ESXi vSwitch or bond interfaces on Check Point GW?

Thank you for sharing.

Please note that depending on particulars of your implementation, this may represent a problem down the road:

i.e. if this is not the only VM on the host and if you are counting on it being subjected to moves between hosts, using pah-through is effectively anchoring the VM to this host only.

If you are still experimenting, try attaching two interfaces from the Gaia VM to the same portgroup on the vSwitch:

Regards,

Vladimir

Re: Link aggregation on VMWare ESXi vSwitch or bond interfaces on Check Point GW?

Thanks Vladimir for clarification.

In our setup, the servers will be used solely for firewall so the concert with moving VMs should be an issue. I will try to do your recommendation in lab if we can sucessfuly create a bond if the interfaces are in the same port group - this wasn't the case when I first tried it out.