Performance Guidelines for Bonding

To get the best performance, configure the SecureXL Affinity in static mode for the slave interfaces.

Setting Affinities

If you are running SecureXL in a multi-core system, after you define bonds, set affinities manually. Use the sim affinity -s command.

Note - The sim affinity commands take effect only if the SecureXL is enabled and actually running. SecureXL begins running when you install a Policy for the first time.

For optimal performance, set affinities according to the following guidelines:

1. Run:

   sim affinity -s

2. Whenever possible, dedicate one processing core to each interface. See R80.10 Performance Tuning Administration Guide.
3. If there are more interfaces than CPU cores, one or more CPU cores handle two interfaces.

   Use interface pairs of the same position with internal and external bonds.

   1. To view interface positions in a bond, run:

      cat /proc/net/bonding/<bond name>.

   2. Note the sequence of the interfaces in the output, and compare this for the two bonds (external bond and its respective internal bond).

      Interfaces that appear in the same position in the two bonds are interface pairs and set to be handled by one processing core.

   For example, you might have four processing cores (0-3) and six interfaces (0-5), distributed among two bonds:

   bond0	bond1
   eth0	eth3
   eth1	eth4
   eth2	eth5

   Two of the CPU cores will need to handle two interfaces each. An optimal configuration can be:

   bond0		bond1
   eth0	core 0	eth3	core 0
   eth1	core 1	eth4	core 1
   eth2	core 2
   		eth5	core 3

Monitoring Bond Interfaces

Description

Shows the configuration of bond interfaces and their slave interfaces.

Syntax in Expert mode

cphaconf show_bond {-a | <bond_name>}

Where:

Command	Description
cphaconf show_bond -a	Shows configuration of all configured bond interfaces
cphaconf show_bond <bond_name>	Shows configuration of the specified bond interface

Example

[Expert@MemberB]# cphaconf show_bond boond0   Bond name: bond0 Bond mode: Load Sharing Bond status: UP Balancing mode: 802.3ad Layer3+4 Load Balancing Configured slave interfaces: 4 In use slave interfaces: 4 Required slave interfaces: 2 Slave name | Status | Link ----------------+-----------------+------- eth2 | Active | Yes eth3 | Active | Yes eth4 | Active | Yes eth5 | Active | Yes

The output shows:

• Configured slave interfaces
• Required slave interfaces
• Status of slave interface:
  • Active - This slave interface is currently handling traffic.
  • Backup - (Bond High Availability only) This slave interface is ready and can support internal bond failover.
  • Not Available - (Bond High Availability only) The physical link on this slave interface is broken, or the Cluster member is in status down. The bond cannot failover in this state.
• Status of link on slave interface - The status of the physical link on this slave interface (Yes or No).

Troubleshooting Bonded Interfaces

In This Section Troubleshooting Workflow Connectivity Delays on Switches

Troubleshooting Workflow

1. Check the status of the bond.
2. If there is a problem, see if the physical link is down:
   1. Run:

      cphaconf show_bond <bond_name>

   2. Look for a slave interface that reports the status of the link as no.
   3. Check the cable connections and other hardware.
   4. Check the port configuration on the switch.
3. See if a cluster member is down:

   cphaprob state

   If any of the cluster members have a firewall State other than active, continue with the cphaprob state troubleshooting.

4. View the logs in Logs & Monitor > Logs.

In a VSX member, reboot is needed after the following actions on a bond interface:

1. Changing a bond mode.
2. Adding a slave into a bond

   Note - Removing a slave does not require reboot.

Connectivity Delays on Switches

When using certain switches, connectivity delays may occur during some internal bond failovers. With the various features that are now included on some switches, it can take close to a minute for a switch to begin servicing a newly connected interface. These are suggestions for reducing the startup time after link failure.

1. Disable auto-negotiation on the relevant interface.
2. On some Cisco switches, enable the PortFast feature.
3. Disable STP on the ports.

Warnings about PortFast

The PortFast feature should never be used on ports that connect to switches or hubs. It is important that the Spanning Tree complete the initialization procedure in these situations. Otherwise, these connections may cause physical loops where packets are continuously forwarded (or even multiply) in such a way that can cause the network to fail.

Sample Configuration of PortFast Feature on a Cisco Switch

The following are the commands necessary to enable PortFast on a Gigabit Ethernet 1/0/15 interface of a Cisco 3750 switch running IOS.

1. Enter configuration mode:

   cisco-3750A# conf t

2. Specify the interface to configure:

   cisco-3750A(config)# interface gigabitethernet1/0/15

3. Set PortFast on this port:

   cisco-3750A(config-if)# spanning-tree portfast

   cisco-3750A(config-if)# end

4. Save the configuration:

   cisco-3750A# write