Bond Interfaces (Link Aggregation)

Check Point security devices support Link Aggregation, a technology that joins multiple physical interfaces into one virtual interface, known as a bond interface.

The bond interface share the load among many interfaces, which gives fault tolerance and increases throughput. Check Point devices support the IEEE 802.3ad Link Aggregation Control Protocol (LCAP) for dynamic link aggregation.

Item No.	Instructions
1	Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.
1A	Interface 1
1B	interface 2
2	Bond Interface
3	Router

A bond interface (also known as a bonding group or bond) is identified by its Bond ID (for example: bond1) and is assigned an IP address. The physical interfaces included in the bond are called slaves and do not have IP addresses.

You can define a bond interface to use one of these functional strategies:

High Availability (Active/Backup):

Gives redundancy when there is an interface or a link failure. This strategy also supports switch redundancy. Bond High Availability works in Active/Backup mode - interface Active/Standby mode. When an Active slave interface is in the down state, the connection automatically fails over to the primary slave interface. If the primary slave interface is not available, the connection fails over to a different slave interface.

Load Sharing (Active/Active):

All slave interfaces in the UP state are used simultaneously. Traffic is distributed among the slave interfaces to maximize throughput. Bond Load Sharing does not support switch redundancy.

Note - Bonding Load Sharing mode requires SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. to be enabled on the Security Group A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. (this is the default).

You can configure Bond Load Sharing to use one of these modes:

Mode	Description
Round Robin	Selects the Active slave interfaces sequentially.
802.3ad	Dynamically uses Active slave interfaces to share the traffic load. This mode uses the LACP protocol, which fully monitors the interface link between the Check Point Security Gateway and a switch.
XOR	All slave interfaces in the UP state are Active for Load Sharing. Traffic is assigned to Active slave interfaces based on one of these transmit hash policies: Layer 2 information (XOR of hardware MAC addresses) Layer 3+4 information (IP addresses and Ports)

Mode

Description

Round Robin

Selects the Active slave interfaces sequentially.

802.3ad

Dynamically uses Active slave interfaces to share the traffic load.

This mode uses the LACP protocol, which fully monitors the interface link between the Check Point Security Gateway and a switch.

XOR

All slave interfaces in the UP state are Active for Load Sharing.

Traffic is assigned to Active slave interfaces based on one of these transmit hash policies:

Layer 2 information (XOR of hardware MAC addresses)
Layer 3+4 information (IP addresses and Ports)

For Bonding High Availability mode and for Bonding Load Sharing mode:

The number of bond interfaces that can be defined is limited by the maximal number of interfaces supported by each platform.

See the R80.20SP Quantum Maestro Release Notes.
Up to 8 physical slave interfaces can be configured in one bond interface.