Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Luis_Filipe
Participant

HA clusterXL with Bond interfaces with Cisco switch

Hello,

I have a topology with 2 checkpoints in ClusterXL HA mode, and 2 switches Cisco.

I want to connect 2 interfaces for each gateway and perform an ether channel between them (checkpoint-switch).

This is possible?

Thanks in advance

0 Kudos
6 Replies
Wolfgang
Authority
Authority

Luis,

yes that's possible.

You have to build one bond interface on one CheckPoint appliance and connect the interfaces of these bond to each CISCO-switch.

I would prefer to use LACP as BOND protocol. To create a BOND  spanning over  both switches they must be member of the same stack or they need something like vPC.

You can't create a bond over two separate switches.

Without having vPC or stack you can configure the BOND on the CheckPoint appliances as HA (active-backup). But with this you can't do LoadSharing and the passive interface is only used if the active link goes down. With a bond like this you don't need a BOND configuration on the switches.

In the "Gaia R80.20 Administration Guide"  you'll find a detailled description how to configure BONDs, chapter "Bond Interfaces (Link Aggregation)"

Wolfgang

 

0 Kudos
Maarten_Sjouw
Champion
Champion

The issue here is that when you want to use a bond from one cluster member to both switches (port eth2 to swi-1 and port eth3 to switch-2, those switches need to be connected with a stack module then you can use LACP otherwise you need to use active/backup. On the switch side you cannot create a portchannel when the switches are not in a stack.
When you connect fw1 both eth2 and eth3 to switch-1 and fw2 eth2 and eth3 to switch-2 then you can have port channels on the switches.
Regards, Maarten
0 Kudos
Jerry
Mentor
Mentor

simply LACP L2 Fast and off you go 🙂 not really complicated task though.

Jerry
0 Kudos
Sven_Glock
Advisor

I can recommend to avoid L2 LACP. When having for example a proxy behind the switch all traffic that comes from the proxy will pass via the same link to the firewall.

This can cause disbalanced links within the bond. Try to use L3/4 LACP, but this needs software support on the affected switch.

On firewall side you have to configure  xmit-hash-policy layer3+4.

 

Regards

Sven

 

0 Kudos
Jerry
Mentor
Mentor

hi Sven

 

proxy wasn't mentioned at all by the original post hence my advise on L2 LACP.

I completely second your advise when it comes to the proxying any traffic indeed, but that is a matter of a proper design on application level as you've already wrote.

In any case the question is not an easy one to answer, there are dependencies to consider as well as consequences of the decisions which definitely need to be taken into the account.

Jerry
0 Kudos
Sven_Glock
Advisor

Jerry, you are absolutly right.

My advaice was just a general hint not based on the specific problems of Luis.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events