This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Thomas_Hennebe1
Participant
‎2019-03-07 07:15 AM

R80.20 - LACP Interface to VPC

Hello together,

I am planning a new installation of two 6500 Appliances in a ClusterXL deployment. The Appliances will each be connected to a VPC-Domain consisting of two Nexus 9K.

I would like to create a BOND / LACP Interface on each Appliance, where  NIC 1 is connected to VPC Member 1 and NIC 2 is connected to VPC Member 2.  The goal of this approach would be to increase bandwith and to increase resilience (I would like to update one VPC Member without failing over the firewall cluster).

My question: Shall I configure the bond interface as HA or can I use Load Sharing? According to the R80.20 Admin Guide and ClusterXL Guide, both are valid configurations. The thing I don't understand is that one supports "switch redundancy" and the other not:

  • High Availability (Active/Backup): Gives redundancy when there is an interface or a link failure. This strategy also supports switch redundancy. Bond High Availability works in Active/Backup mode - interface Active/Standby mode. When an Active slave interface is down, the connection automatically fails over to the primary slave interface. If the primary slave interface is not available, the connection fails over to a different slave interface.
  • Load Sharing (Active/Active): All slave interfaces in the UP state are used simultaneously. Traffic is distributed among the slave interfaces to maximize throughput. Bond Load Sharing does not support switch redundancy

Unfortunately I can't find any further explenation about this. What is meant with 'switch redundancy' in this context? Logically the VPC-Domain acts as a single Switch anyway....

Thanks for your help and many greetings from Germany.

Thomas

0 Kudos
10 Replies
Vincent_Andrie1
Explorer
‎2019-03-07 12:08 PM

Hi Thomas, 

what you need is the Load-Sharing Active/Active setup. The checkpoint Load-Sharing works perfectly with a Cisco vPC. 

The "switch redundancy" part is indeed a bit confusing. I think what they mean is that you can not connect a bond in HA mode to 2 different (separate) switches, thus 'not' making it redundant.

The explanation seems to exclude switch stacks or vPC setups. 

If you configure your vPC on the Cisco and Checkpoint side, just make sure you use the same hashing algorithm (preferably Layer3+4) and the same LACP rate (preferably fast rate). 

if you are working with Nexus, also double check the used frame size. 

Harmesh_Yadav
Collaborator
‎2019-12-22 09:32 PM
In response to Vincent_Andrie1

Dear team ,

 

We have two checkpoint(R80.10) In Active - Passive (HA ) Setup .

 

Destination side Nexus 9K (with latest version firmware), so we have configured Bond Checkpoint side and nexus side ether channel with VPC configuration .

 

Checkpoint Side 2 10G interface and we have created Bond and after that In this interface there are multiple vlan subinterface we have created .

we have tried to setup but cluster showing down becuase of communication is not happening to pri checkpoint to sec checkpoint by that specific sub interface .

 

Can you please help us that  vpc should work or any limitation is there ?

 

 

Harmesh Yadav
0 Kudos
Thomas_Hennebe1
Participant
‎2019-03-07 10:41 PM

Hello Vincent,

thanks a lot for your detailled and spot on answer, this was exactly the information I needed 😉

0 Kudos
Jerry
Mentor
Mentor
‎2019-03-08 01:16 AM

question from my side though:

- are you planning VSX or stand-alone Manged deployment?

- do you need LACP or it can really be just a "bond"-ing approach? I bet Cisco will figure both just fine Smiley Happy

- how do you levarage the traffic flow throughout the gateways? what's your plan? is the redundancy the only aspect you've been thinking about really?

once you answer those I could share some of my experiences with not-really-any-longer favorite LSM mode ...

Jerry

ps. search our community and see why LSM on R80.20 is no longer a best-possible-option for most of the deployments.

Jerry
0 Kudos
Thomas_Hennebe1
Participant
‎2019-03-08 01:28 AM
In response to Jerry

Hi Jerry,

I don't plan on using LSM/Smart Provisioning. I will only have one virtualiued Mgmt-Server, a Cluster of 6500 (no Maestro) and maybe a few CloudGuaed IaaS in the future.

LACP/Bonding is only there to increase bandwith and increase resiliance.

Best regards,

Thomas

0 Kudos
Jerry
Mentor
Mentor
‎2019-03-08 01:31 AM
In response to Thomas_Hennebe1

excellent, so now you need to read this thread mate Smiley Happy

https://community.checkpoint.com/message/41165-is-cp-planning-to-support-load-sharing-in-future-rele...

Jerry
0 Kudos
Thomas_Hennebe1
Participant
‎2019-03-08 01:42 AM
In response to Jerry

Thanks for the great link!

I think we are speaking about different things here though. AFAIK: ClusterXL Load Share != LACP Interface Load Share.

Or have I missunderstood the different technologies/terms here? I don't want to do ClusterXL Load-Sharing ( I consider this a bad idea in regards to Complexity <> Performance), just LACP-Interface-Active-Active.

0 Kudos
Jerry
Mentor
Mentor
‎2019-03-08 02:05 AM
In response to Thomas_Hennebe1

nop. we don't. see your 1st line: "I am planning a new installation of two 6500 Appliances in a ClusterXL deployment".

I was just referring to the LSM A/A and your approach to the aggregation. Think about it.

Jerry
0 Kudos
Thomas_Hennebe1
Participant
‎2019-03-08 02:18 AM
In response to Jerry

A gotcha! Ok, thanks.

0 Kudos
Ivan_Kusturic
Participant
‎2020-02-11 12:19 AM
In response to Thomas_Hennebe1

Hi Thomas,

Could you please tell me what was the solution to your configuration? We are having exactly the same setup with VSX and experiencing multiple issues.

If I understood correctly - you can't have bond with active-active setup configured on cluster in HA mode?

Thanks,

Ivan

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events