This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Scottc98
Advisor
‎2023-08-29 09:40 AM
Jump to solution

VSLS ClusterXL - Min link LACP bonds question

Question for those whom have done VSLS deployments in R81.10

I have a deployment in works that I created 4 port LACP bonds for our core connections so that I don't loose a chassis as long as we have at least one link up.

What we found was while the bonds would stay up, the cluster would go down as soon as we lost more that one link in the bond.

I've found this section regarding clusterxl and bonding that I think fits:

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ClusterXL_AdminGuide/Topics-...

While this 'feels' more related to traditionally load sharing mode, I wanted to check here if this also the same spot to update for a VSX VSLS deployment.  

If thats the case and I have two bonds that I want to stay up in regards to ClusterXL as long as 1 of the 4 links is up, is this the edit?

****

cphaconf bond_ls set bond1 1

cphaconf bond_ls set bond3 1

***

If this is the correct setting, a couple of followups:

1) is this survivable for reboots, JHFs or major upgrades (i.e. R81.10 to R81.20).

    - I believe reboot yes but not sure on the others

2) Once applied, is there any changes needed?    

   - The guide states policy install but is that it?

3) if i rollback, is it just "cphaconf bond_ls remove <bond#>" and push policy to have it go back to its default 'N-1' setting?

 

Got the same question to my professional service rep but trying to get a quick answer/conformation so we can get back to our validation testing.   This isn't in production yet but my clock is ticking.....

 

Thanks everyone 🙂

 

 

0 Kudos
3 Solutions

Accepted Solutions
Scottc98
Advisor
‎2023-08-29 11:02 AM
Jump to solution

Ok....thinking this is answered here 🙂 

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_VSX_AdminGuide/Topics-VSXG/C...

 

 

View solution in original post

(1)
Wolfgang
MVP Gold
MVP Gold
‎2023-08-29 11:39 AM
Jump to solution

@Scottc98   yes you are correct, the default allows only one interface to fail in a BOND.

your questions:

1. yes to all for jumbo and hotfixes and for major upgrades. As long as you did in place upgrades.

2. Works without install policy.

3. Yes

I’ve done a similar discussion for MAESTRO environments minimum required intrerfaces for LACP bond 

View solution in original post

Wolfgang
MVP Gold
MVP Gold
‎2023-08-30 07:13 AM
In response to Scottc98
Jump to solution

@Scottc98 configuration has to be done in every VS context. see Configuration in the $FWDIR/conf/cpha_bond_ls_config.conf file on VSX cluster member does not apply ...

View solution in original post

7 Replies
Scottc98
Advisor
‎2023-08-29 11:02 AM
Jump to solution

Ok....thinking this is answered here 🙂 

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_VSX_AdminGuide/Topics-VSXG/C...

 

 

(1)
the_rock
MVP Platinum
MVP Platinum
‎2023-08-29 11:36 AM
In response to Scottc98
Jump to solution

Thats exactly where its answered : - )

Andy

Best,
Andy
Wolfgang
MVP Gold
MVP Gold
‎2023-08-29 11:39 AM
Jump to solution

@Scottc98   yes you are correct, the default allows only one interface to fail in a BOND.

your questions:

1. yes to all for jumbo and hotfixes and for major upgrades. As long as you did in place upgrades.

2. Works without install policy.

3. Yes

I’ve done a similar discussion for MAESTRO environments minimum required intrerfaces for LACP bond 

Scottc98
Advisor
‎2023-08-30 06:45 AM
Jump to solution

Ok....I have a follow up question:

Are these configs all done within vs0 or do i have to go into each VS where those bonds are used?

*****

[Expert@TESTVSLS:0]# cat $FWDIR/conf/cpha_bond_ls_config.conf                                                                                                  
# File name: $FWDIR/conf/cpha_bond_ls_config.conf                                                                                                                        
# This file is used to describe for each bond in Active/Active mode                                                                                                      
# what is the required number of active slaves.                                                                                                                          
# If the number of active slaves on a bond is lower then the required                                                                                                    
# slaves number, the bond interface will be marked as DOWN.                                                                                                              
# If there is a bond interface in Active/Active, and there is no                                                                                                         
# entry for it in this file, its required slaves num will be:                                                                                                            
# The number of configured slaves minus 1.                                                                                                                               
#                                                                                                                                                                        
# Fill this file in the following syntax:                                                                                                                                
# <bond name> <number of required slaves>                                                                                                                                
# Example:                                                                                                                                                               
# bond0 2                                                                                                                                                                
                                                                                                                                                                         
bond1 1                                                                                                                                                                  
bond3 1                                                                                                                                                                  
[Expert@TESTVSLS:0]#

 

*******

Bond 1 is my management network.  After making these changes, I was able to down 3 of the 4 interfaces and keep VS0 active on the node.

Bond3 is used for VS1 VLAN networks.   When I admin down more than 2 interfaces, its following the ns-1 default.

So do I need to do the following:

1) vsenv 1 to go into the VS

2) Then do the update for Bond 3:  "cphaconf bond_ls set bond3 1"

 

I would also remove bond3 from the original file

 

So....end state, if i "cat $FWDIR/conf/cpha_bond_ls_config.conf" from VSO, i should only see the bond1

If i "cat $FWDIR/conf/cpha_bond_ls_config.conf " from VS1, I should only see bond3

 

Is that correct?

0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2023-08-30 07:13 AM
In response to Scottc98
Jump to solution

@Scottc98 configuration has to be done in every VS context. see Configuration in the $FWDIR/conf/cpha_bond_ls_config.conf file on VSX cluster member does not apply ...

Scottc98
Advisor
‎2023-08-30 08:03 AM
In response to Wolfgang
Jump to solution

Thanks @Wolfgang 

 

Is it best to repeat the same config on each VS or break down the configs for only the interfaces servicing the VS(s)?  

Bond1 for example will ONLY ever be used for VS0.    

0 Kudos
Scottc98
Advisor
‎2023-08-30 11:26 AM
In response to Scottc98
Jump to solution

Alright.....this community ROCKS!   

So to answer my last question:   You can only add the interfaces on the non-VS0 VSs that has the bond assoicated to it.  So since only bond1 in my case is configured as a VLAN trunk in my VS configs, it only accepts that.

And since you are creating the file from scratch on each VS, you will have to reboot the chassis as per the SK.    For changing VS0 bonds only, you do not since the conf file already exists on the box. 

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events