Check Point Gaia – Link Aggregation

Link aggregation also referred to as interface bonding joins multiple physical interfaces into a virtual bond interface. This interface can then be configured for Load Sharing (Active/Active) or High Availabilty (Active/Backup). HA enables redundancy in the event of physical interface or even upstream switch failure. Load Sharing maximizes throughput by load blancing amongst the interfaces. Load sharing does not support switch redundancy but when switch stack is used (Cisco Catalyst 3750/3850 etc) I see no reason why this would not work.

Below is instructions on how to setup either HA or Load Sharing, using Check Point R77.10 Gaia. Please test in a lab environment before implementation in production.

Setting up a High Availbility (Active/Backup) interface bond

Create a bond group 1 and add interfaces eth1 and eth2. Define the mode, in this instance the bond with act in Active/Backup configuration.

add bonding group 1
set interface bond1 state on
add bonding group 1 interface eth1
add bonding group 1 interface eth2
set bonding group 1 mode active-backup



Specify eth1 as the Active interface

set bonding group 1 primary eth1


Enable the bond (if not already enabled) and physical interfaces and assign an IP address. Optionally set a comment to help identifying the bond

set interface bond1 ipv4-address 192.168.10.1 mask-length 24
set interface bond1 comments “Internal”


Enable the physical interfaces (if not already enabled)

set interface eth1 state on
set interface eth2 state on

The HA bond is now configured and should work, perform some tests by unplugging an interface and verfiying there is still connectivity.

An HA bonded interface does NOT require any special configuration on the switch the physical interface is plugged into. The switchport interfaces should however we configured identically, with the same VLAN ID and it would be advisable to enable “portfast”.

Setting up a Load Sharing (Active/Active) interface bond

Create a bond group 1 and add interfaces eth1 and eth2. Define the mode, in this instance the bond with act in Active/Active configuration.

add bonding group 1
set interface bond1 state on
add bonding group 1 interface eth1
add bonding group 1 interface eth2
set bonding group 1 mode 8023AD


On a Cisco switch an etherchannel will need to be created. Create the etherchannel using LACP

port-channel load-balance src-dst-ip
interface range fastethernet 0/1-2
channel-group 1 mode active
channel-protocol lacp
exit

interface port-channel 1
description “FIREWALL PORT CHANNEL”
switchport mode access
switchport access vlan 10
spanning-tree portfast
exit

The Load Sharing (Active/Active) bond is now configured and should work, perform some tests by unplugging an interface and verfiying there is still connectivity. In my tests when unplugging an interface in a Load Sharing configuration there was no noticable missed pings, compared to an HA configuration when I observed 1 missed ping.

Troubleshooing commands

From expert mode execute the following command – “cat /proc/net/bonding/bond1”

NOTE – “bond1” is the name of the bond previously create, change to name of your bond

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s