Using bonded interface on management appliances?

Vladimir · ‎2017-11-04

I observe this situation pretty much every time I am on client's premises:

There are clustered gateways or VSX appliances in separate racks.

There is typically a single management appliance per-site with single Mgmt interface connected to the network, (not counting LOM and Console).

Is there any downside to creating a bonded interface, connecting it to two clustered switches located in separate racks and using it for administration?

This approach should help with the situation when connectivity to one of the switches is interrupted or if one of the switches is offline.

Your thoughts?

Jerry · ‎2017-11-05

as long as it uses L2 not L3 bonding ... and 803.2ad (proper lacp) it all works. have had lots of scenarious with it inc. R80.10 where round-robin on L3 bonding collapsed. thats a big topic mate ... lots to mention too much for a single line

Jerry

Vladimir · ‎2017-11-06

Thanks,

I am talking strictly about HA capability for management appliances, so active/standby only, no need for round-robin.

Timothy_Hall · ‎2017-11-05

All of Check Point's SMS code is user-space processes, and thus has no direct visibility into how the underlying interfaces are configured at the Gaia OS level, as the kernel provides a layer of abstraction between processes and the underlying hardware. The gateway is a different story though since most of Check Point's inspection code resides in kernel space and can directly touch the underlying hardware.

Bonded interfaces should be no problem for a SMS assuming the bond itself is set up correctly in Gaia, and the bonding settings match the attached switches.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices
Self-Guided Video Series Coming Soon

Vladimir · ‎2017-11-05

Thanks.

I've done it before using LACP HA mode, but not ever seeing it elsewhere was trying to see if there were any downsides to it.

Danny · ‎2017-11-06

DOWNSIDES

One 'downside' I see is the advanced planning, configuration and troubleshooting efforts required for LACP bonded interfaces. Another 'downside' is the perceived redundancy resulting from bonded interfaces, redundant PSUs, hard disk RAID.., while it's still only one chassis meaning no physical redundancy (separate racks, rooms), no harddisk dd dumps, no instant fallback solutions, limitations on redundant hard disks and PSU's that are only available on expensive high-end Smart-1 Appliances (225, 3050, 3150), and so on.

VIRTUALIZATION

I prefer running the SmartCenter as a VM host within VMware ESXi instead of maintaining a physical appliance. This allows for easy VM snapshots and reverts making it easy and safe to quickly test a new hotfix, migration, whatever.

MANAGEMENT HIGH AVAILABILITY

In cases where a physical management appliance has to meet advanced redundancy requirements, I recommend adding a secondary management appliance to get a real Management-HA solution.

Vladimir · ‎2017-11-06

Danny,

The advanced planning is hardly a downside: have you seen the T-Shirt with "Four weeks of coding can save two days of planning" sign on it:)

The bonded interfaces on management appliances by no means are the substitute for full Management HA, but simply are a means to improve per-site redundancy in case of the switch or connectivity failure.

I'm just looking at it from perspective of people investing in gateway redundancy and fail over capability on per-site basis, and helping them to achieve the same with management.

Personally, I am also a big fan of the flexibility afforded by VM implementation of management and in most instances it is also what I recommend.

But in cases where the client invests in 3050s with 256GB of RAM and other bells and whistles, the use of bonded interfaces may be warranted.

Thank you,

Vladimir

Are you a member of CheckMates?

Using bonded interface on management appliances?