This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Janko139943
Explorer
Monday

Check Point 3900 – Using SFP+ ports (eth10/eth11) for Cluster Sync instead of default eth9

Hi all,

I’m working with a Check Point 3920 appliance deployed in ElasticXL mode, and I have a question regarding Sync interface design.

By default, eth9 is used for Cluster Sync, but it is a 1G SFP port.
In this setup, I only have 10G SFP+ transceivers available, so I’m considering using eth10 or eth11 (SFP+ ports) for Sync instead.

My questions:

  • Is it officially supported to use eth10 / eth11 as Sync interfaces instead of eth9 on 3900 series appliances in ElasticXL mode?
  • Are there any limitations or caveats when using SFP+ ports for Sync in this architecture?
  • Is there any internal dependency tied specifically to eth9, or is it just a default/recommended port?
  • Any best practices for Sync design in ElasticXL (e.g., 10G Sync, direct connection vs switch, bonding, etc.)?
0 Kudos
1 Reply
Bob_Zimmerman
MVP Gold
MVP Gold
Monday

In ElasticXL, Sync is a normal bond in every way except its name. In clish, it's bonding group 1024. You can add any interface you want, and you can remove the default interface.

When running VSNext, Sync is owned by VS0. The other VSs don't see it.

[Expert@DallasticXL-s01-01:0]# gclish -c "show configuration" | egrep '(^[0-9]|bonding group 1024)'
1_01:
add bonding group 1024
set bonding group 1024 mode active-backup
set bonding group 1024 primary eth1-Sync
set bonding group 1024 xmit-hash-policy layer2
add bonding group 1024 interface eth1
add bonding group 1024 interface eth1-Sync
1_02:
add bonding group 1024
set bonding group 1024 mode active-backup
set bonding group 1024 primary eth1-Sync
set bonding group 1024 xmit-hash-policy layer2
add bonding group 1024 interface eth1
add bonding group 1024 interface eth1-Sync

[Expert@DallasticXL-s01-01:0]# cat /proc/net/bonding/Sync 
Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)

Bonding Mode: fault-tolerance (active-backup)
Primary Slave: None
Currently Active Slave: eth1
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 200
Down Delay (ms): 200
Peer Notification Delay (ms): 0

Slave Interface: eth1
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 2
Permanent HW addr: 00:1c:7f:ab:cd:ef
Slave queue ID: 0

As you can see, rather than renaming an interface to eth1-Sync, I've added the interface named eth1 to my Sync bond.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events