This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Luis_Filipe
Participant
‎2019-05-10 01:44 AM

HA clusterXL with Bond interfaces with Cisco switch

Hello,

I have a topology with 2 checkpoints in ClusterXL HA mode, and 2 switches Cisco.

I want to connect 2 interfaces for each gateway and perform an ether channel between them (checkpoint-switch).

This is possible?

Thanks in advance

0 Kudos
6 Replies
Wolfgang
MVP Gold
MVP Gold
‎2019-05-10 04:34 AM

Luis,

yes that's possible.

You have to build one bond interface on one CheckPoint appliance and connect the interfaces of these bond to each CISCO-switch.

I would prefer to use LACP as BOND protocol. To create a BOND  spanning over  both switches they must be member of the same stack or they need something like vPC.

You can't create a bond over two separate switches.

Without having vPC or stack you can configure the BOND on the CheckPoint appliances as HA (active-backup). But with this you can't do LoadSharing and the passive interface is only used if the active link goes down. With a bond like this you don't need a BOND configuration on the switches.

In the "Gaia R80.20 Administration Guide"  you'll find a detailled description how to configure BONDs, chapter "Bond Interfaces (Link Aggregation)"

Wolfgang

 

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-05-10 06:08 AM
In response to Wolfgang

The issue here is that when you want to use a bond from one cluster member to both switches (port eth2 to swi-1 and port eth3 to switch-2, those switches need to be connected with a stack module then you can use LACP otherwise you need to use active/backup. On the switch side you cannot create a portchannel when the switches are not in a stack.
When you connect fw1 both eth2 and eth3 to switch-1 and fw2 eth2 and eth3 to switch-2 then you can have port channels on the switches.
Regards, Maarten
0 Kudos
Jerry
Mentor
Mentor
‎2019-05-10 06:42 AM

simply LACP L2 Fast and off you go 🙂 not really complicated task though.

Jerry
0 Kudos
Sven_Glock
Advisor
‎2019-05-10 09:30 AM
In response to Jerry

I can recommend to avoid L2 LACP. When having for example a proxy behind the switch all traffic that comes from the proxy will pass via the same link to the firewall.

This can cause disbalanced links within the bond. Try to use L3/4 LACP, but this needs software support on the affected switch.

On firewall side you have to configure  xmit-hash-policy layer3+4.

 

Regards

Sven

 

0 Kudos
Jerry
Mentor
Mentor
‎2019-05-10 12:02 PM
In response to Sven_Glock

hi Sven

 

proxy wasn't mentioned at all by the original post hence my advise on L2 LACP.

I completely second your advise when it comes to the proxying any traffic indeed, but that is a matter of a proper design on application level as you've already wrote.

In any case the question is not an easy one to answer, there are dependencies to consider as well as consequences of the decisions which definitely need to be taken into the account.

Jerry
0 Kudos
Sven_Glock
Advisor
‎2019-05-12 01:50 AM
In response to Jerry

Jerry, you are absolutly right.

My advaice was just a general hint not based on the specific problems of Luis.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events