Bond Interfaces (Link Aggregation)

Check Point security devices support Link Aggregation, a technology that joins multiple physical interfaces into one virtual interface, known as a bond interface. The bond interface share the load among many interfaces, which gives fault tolerance and increases throughput. Check Point devices support the IEEE 802.3ad Link Aggregation Control Protocol (LCAP) for dynamic link aggregation.

Item No.	Description
1	Security Gateway
1A	Interface 1
1B	interface 2
2	Bond Interface
3	Router

A bond interface (also known as a bonding group or bond) is identified by its Bond ID (for example: bond1) and is assigned an IP address. The physical interfaces included in the bond are called slaves and do not have IP addresses.

You can define a bond interface to use one of these functional strategies:

High Availability (Active/Backup): Gives redundancy when there is an interface or a link failure. This strategy also supports switch redundancy. Bond High Availability works in Active/Backup mode - interface Active/Standby mode. When an Active slave interface is down, the connection automatically fails over to the primary slave interface. If the primary slave interface is not available, the connection fails over to a different slave interface.
Load Sharing (Active/Active): All slave interfaces in the UP state are used simultaneously. Traffic is distributed among the slave interfaces to maximize throughput. Bond Load Sharing does not support switch redundancy.
Note - Bonding Load Sharing mode requires SecureXL to be enabled on Security Gateway or each Cluster Member.

You can configure Bond Load Sharing to use one of these modes:
- Round Robin - Selects the Active slave interfaces sequentially.
- 802.3ad - Dynamically uses Active slave interfaces to share the traffic load. This mode uses the LACP protocol, which fully monitors the interface link between the Check Point Security Gateway and a switch.
- XOR - All slave interfaces in the UP state are Active for Load Sharing. Traffic is assigned to Active slave interfaces based on the transmit hash policy: Layer 2 information (XOR of hardware MAC addresses), or Layer 3+4 information (IP addresses and Ports).

For Bonding High Availability mode and for Bonding Load Sharing mode:

The number of bond interfaces that can be defined is limited by the maximal number of interfaces supported by each platform. See the R80.20 Release Notes.
Up to 8 slave interfaces can be configured in a single High Availability or Load Sharing bond interface.

Configuring Bond Interfaces - Gaia Portal

To configure a bond interface:

Step	Description
1	In the navigation tree, click Network Management > Network Interfaces.
2	Make sure that the slave interfaces, which you wish to add to the Bond interface, do not have IP addresses.
3	For a new bond interface, select Add > Bond. To edit an existing Bond interface, select the Bond interface and click Edit.
4	On the IPv4 tab, enter the IPv4 address and subnet mask. You can optionally select the Obtain IPv4 Address automatically option.
5	On the IPv6 tab (optional), enter the IPv6 address and mask length. You can optionally select the Obtain IPv6 Address automatically option. Important - First, you must enable the IPv6 Support and reboot.
6	On the Bond tab: Select or enter a Bond Group ID. This parameter is an integer between 0 and 1024. Select the slave interfaces from the Available Interfaces list and then click Add. Note - Make sure that the slave interfaces do not have any IP addresses or aliases configured. Select an Operation Mode: Round Robin (default) - Bond uses all slave interfaces sequentially (High Availability + Load Sharing) Active-Backup - Bond uses one slave interface at a time (High Availability) XOR - Bond uses slave interfaces based on a hash function (High Availability + Load Sharing) 802.3ad - Dynamic bonding according to IEEE 802.3ad (Load Sharing)
7	On the Advanced tab: Set the required MTU for your network (if not sure, leave the default value). Set the Monitor Interval - How much time to wait between checking each slave interface for link-failure. The valid range is 1-5000 ms. The default is 100 ms. Set the Down Delay - How much time to wait, after sending a monitor request to a slave interface, before bringing down the slave interface. The valid range is 1-5000 ms. The default is 200 ms. Set the Up Delay - How much time to wait, after sending a monitor request to a slave interface, before bringing up the slave interface. The valid range is 1-5000 ms. The default is 200 ms.
8	Additional configuration settings are available depending on the selected Bond Operation Mode: If selected the Round Robin bond operation mode, then there are no additional configuration settings. If selected the Active-Backup bond operation mode, then select the Primary Interface If selected the XOR bond operation mode, then select the Transmit Hash Policy - the algorithm for slave interface selection according to the specified TCP/IP Layer. Select either Layer 2 (uses XOR of the physical interface MAC address), or Layer 3+4 (uses Layer 3 and Layer 4 protocol data). If selected the 802.3ad bond operation mode, then perform these two steps: Select the Transmit Hash Policy - the algorithm for slave interface selection according to the specified TCP/IP Layer. Select either Layer 2 (uses XOR of the physical interface MAC address), or Layer 3+4 (uses IP addresses and Ports). Select the LACP Rate - how frequently the LACP partner should transmit LACPDUs. Select either Slow (every thirty seconds), or Fast (every one second).
9	Click OK.

Configuring Bond Interfaces - Gaia Clish

In the CLI, bond interfaces are known as bonding groups.

Important: After you run a Gaia Clish command to add, configure, or delete an object, run the save config command to save the settings permanently.

To create a bond interface in the Gaia Clish:

Step	Description
1	Make sure that the slave interfaces do not have IP addresses.
2	Create the bond interface.
3	Define the slave interfaces and set them to the UP state.
4	Set the bond operating mode.
5	Define other bond parameters: primary interface, media monitoring, and delay rate.

Link Aggregation (Bonding) - Quick Reference for Gaia Clish Commands

This is a quick reference for Link Aggregation commands. Use these commands to configure Link Aggregation.

Note - You configure an IP address on a Bonding Group in the same way as you do on a physical interface.

Syntax

To add a new Bonding Group and add a new slave to it:

add bonding group <Bond Group ID>
To add a new slave interface to a Bonding Group:

add bonding group <Bond Group ID> interface <Name of Slave Interface>

Note - Make sure that the slave interfaces, which you wish to add to the Bonding Group, do not have IP addresses.

To configure a Bonding Group:

set bonding group <Bond Group ID>

mode active-backup [primary <Name of Slave Interface>]

mode round-robin

mode 8023AD [lacp-rate {slow | fast}]

mode xor xmit-hash-policy {layer2 | layer3+4}

[up-delay <0-5000>]

[down-delay <0-5000>]

[monitoring-type {arp <options> | mii <options>}]

To show Bonding Group configuration:

show bonding {group <Bond Group ID> | groups}
To delete a slave interface from a Bonding Group, or an entire a Bonding Group:

delete bonding group <Bond Group ID> [interface <Interface Name> | force-ignore-routes]

To delete the bonding group:

delete bonding group <Bond Group ID> interface <Name of Slave Interface 1>

delete bonding group <Bond Group ID> interface <Name of Slave Interface ...>

delete bonding group <Bond Group ID> interface <Name of Slave Interface N>

delete bonding group <Bond Group ID>

Important - After you add, configure, or delete features, run the save config command to save the settings permanently.

Parameters

Parameter	Description
<Bond Group ID>	Configures the Bond Group ID. Range: 0 - 1024 Default: No default value
<Name of Slave Interface>	Specifies the name of the slave physical interface, which you add to (or remove from) the bond group. Make sure that the slave interfaces do not have any IP addresses or aliases configured.
`mode`	Configures the Bond operating mode: `round-robin`: Bond uses all slave interfaces sequentially (High Availability + Load Sharing). This is the default mode. `active-backup [primary <`Name of Slave Interface`>]`: Bond uses one slave interface at a time (High Availability) `xor xmit-hash-policy {layer2 \| layer3+4}`: Bond uses slave interfaces based on a hash function (High Availability + Load Sharing) `8023AD [lacp-rate {slow \| fast}]`: Dynamic bonding according to IEEE 802.3ad (Load Sharing)
`primary`	Specifies the name of the primary slave interface in the bond. The first slave interface added to the bond group, becomes the primary. Note - Applies only to the active-backup bond mode.
`up-delay <0-5000>`	Specifies the time in milliseconds to wait before enabling a slave after link recovery was detected. Range: 0 - 5000 ms Default: 200 ms
`down-delay <0-5000>`	Specifies the time in milliseconds to wait before disabling a slave after link failure was detected. Range: 0 - 5000 ms Default: 200 ms
`lacp-rate`	Specifies the Link Aggregation Control Protocol packet transmission rate: `slow` - LACPDU packets are sent every 30 seconds `fast` - LACPDU packets are sent every second Note - Applies only to the 802.3AD bond mode.
`monitoring-type`	Specifies the Bond monitoring type: `arp` - ARP monitoring `mii` - Media monitoring
`xmit-hash-policy`	Specifies the algorithm to use for assigning the traffic to Active slave interfaces: `layer2` - Based on the XOR of hardware MAC addresses `layer3+4` - Based on the IP addresses and Ports Note - Applies only to the XOR bond mode.

Example 1 - Active-Backup mode with default settings

gaia> add bonding group 1

gaia> add bonding group 1 interface eth2

gaia> add bonding group 1 interface eth3

gaia> set bonding group 1 mode active-backup primary eth2

gaia> show bonding group 1

Bond Configuration

xmit-hash-policy Not configured

down-delay 200

primary eth2

monitoring-type Not configured

arp-target-ip Not configured

lacp-rate Not configured

mode active-backup

up-delay 200

mii-interval 100

Bond Interfaces

eth2

eth3

gaia>

Example 2 - XOR mode with default settings

gaia> add bonding group 1

gaia> add bonding group 1 interface eth2

gaia> add bonding group 1 interface eth3

gaia> set bonding group 1 mode xor xmit-hash-policy layer3+4

gaia> show bonding group 1

Bond Configuration

xmit-hash-policy layer3+4

down-delay 200

primary Not configured

monitoring-type Not configured

arp-target-ip Not configured

lacp-rate Not configured

mode xor

up-delay 200

mii-interval 100

Bond Interfaces

eth2

eth3

gaia>

Example 3 - XOR mode with monitoring type 'mii'

gaia> add bonding group 1

gaia> add bonding group 1 interface eth2

gaia> add bonding group 1 interface eth3

gaia> set bonding group 1 mode xor xmit-hash-policy layer3+4

gaia> set bonding group 1 monitoring-type mii mii-interval 50

gaia> show bonding group 1

Bond Configuration

xmit-hash-policy layer3+4

down-delay 100

primary Not configured

monitoring-type mii

arp-target-ip 0

lacp-rate Not configured

mode xor

up-delay 100

mii-interval 50

Bond Interfaces

eth2

eth3

gaia>

Example 4 - XOR mode with monitoring type 'arp'

gaia> add bonding group 1

gaia> add bonding group 1 interface eth2

gaia> add bonding group 1 interface eth3

gaia> set bonding group 1 mode xor xmit-hash-policy layer3+4

gaia> set bonding group 1 monitoring-type arp arp-target-ip 192.168.1.1

gaia> show bonding group 1

Bond Configuration

xmit-hash-policy layer3+4

down-delay 0

primary Not configured

monitoring-type arp

arp-target-ip 192.168.1.1

lacp-rate Not configured

mode xor

up-delay 0

mii-interval 0

Bond Interfaces

eth2

eth3

gaia>

Creating a Bond Interface

Syntax

add bonding group <Bond Group ID>

Example

gaia> add bonding group 777

Note - Do not change the state of bond interface manually using the set interface <Bond ID> state command. This is done automatically by the bonding driver.

Adding Slave Interfaces to a Bond

Syntax

add bonding group <Bond Group ID> interface <Name of Slave Interface>

Example

gaia> add bonding group 777 interface eth4

gaia> add bonding group 777 interface eth5

Notes:

The slave interfaces must not have IP addresses assigned to them.
The slave interfaces must not have aliases assigned to them.
A bond interface can contain between two and eight slave interfaces.

Deleting Slave Interfaces from a Bond

Syntax

delete bonding group <Bond Group ID> interface <Name of Slave Interface>

Example

gaia> delete bonding group 777 interface eth4

Note - You must delete all non-primary slave interfaces before you remove the primary slave interface.

Deleting a Bond Interface

Syntax

delete bonding group <Bond Group ID>

Example

gaia> delete bonding group 777

Notes:

You must delete all non-primary slave interfaces before you remove the primary slave interface.
You must delete all slave interfaces from the bond before you remove the bond interface.
Do not change the state of bond interface manually using the set interface bondID state command. This is done automatically by the bonding driver.

Configuring the Bond Operating Mode

Bond operating mode specifies how slave interfaces are used in a bond interface.

Syntax

set bonding group <Bond Group ID> mode

round-robin

active-backup [primary <Name of Slave Interface>]

xor xmit-hash-policy {layer2 | layer3+4}

8023AD [lacp-rate {slow | fast}]

Example

gaia> set bonding group 1 mode active-backup primary eth2

gaia> set bonding group 2 mode xor xmit-hash-policy layer3+4

Notes:

The Active-Backup mode supports configuration of the primary slave interface.
The XOR mode requires the configuration of the transmit hash policy.
The 8023AD mode supports the configuration of the LACP packet transmission rate.

Configuring the Bond Monitoring

You can configure the monitoring of the slave interfaces for link-failure.

Syntax

set bonding group <Bridge Group ID> monitoring-type

arp arp-target-ip <IPv4 Address>

mii mii-interval<0-5000>

Example

gaia> set bonding group 1 monitoring-type arp arp-target-ip 192.168.1.1

gaia> set bonding group 1 monitoring-type mii mii-interval 50

Note - The default mii-interval value is 100 ms.

Configuring the Up Delay and Down Delay Times

The Up-Delay specifies show much time in milliseconds to wait before enabling a slave after link recovery was detected.

Syntax

set bonding group <Bond Group ID> up-delay <0-5000>

Example

gaia> set bonding group 1 up-delay 100

Note - The default up-interval value is 200 ms.

The Down-Delay specifies how much time in milliseconds to wait before disabling a slave after link failure was detected

Syntax

set bonding group <Bond Group ID> down-delay <0-5000>

Example

gaia> set bonding group 1 down-delay 100

Note - The default down-interval value is 200 ms.

Making Sure that Bond Interface is Working

To make sure that a Bond interface is working, run this command in Expert mode:

[Expert@Gaia:0]# cat /proc/net/bonding/<Bond Group ID>

Example output for Round Robin mode:

[Expert@Gaia:0]# cat /proc/net/bonding/bond1

Ethernet Channel Bonding Driver: v3.2.4 (January 28, 2008)

Bonding Mode: load balancing (round-robin)

MII Status: up

MII Polling Interval (ms): 100

Up Delay (ms): 200

Down Delay (ms): 200

Slave Interface: eth2

MII Status: up

Link Failure Count: 0

Permanent HW addr: 00:50:56:a3:73:69

Slave Interface: eth3

MII Status: up

Link Failure Count: 0

Permanent HW addr: 00:50:56:a3:73:70

[Expert@Gaia:0]#

Example output for Active-Backup mode:

[Expert@Gaia:0]# cat /proc/net/bonding/bond1

Ethernet Channel Bonding Driver: v3.2.4 (January 28, 2008)

Bonding Mode: fault-tolerance (active-backup)

Primary Slave: eth2

Currently Active Slave: eth2

MII Status: up

MII Polling Interval (ms): 100

Up Delay (ms): 200

Down Delay (ms): 200

Slave Interface: eth2

MII Status: up

Link Failure Count: 0

Permanent HW addr: 00:50:56:a3:73:69

Slave Interface: eth3

MII Status: up

Link Failure Count: 0

Permanent HW addr: 00:50:56:a3:73:70

[Expert@Gaia:0]#

Example output for XOR mode:

[Expert@Gaia:0]# cat /proc/net/bonding/bond1

Ethernet Channel Bonding Driver: v3.2.4 (January 28, 2008)

Bonding Mode: load balancing (xor)

Transmit Hash Policy: layer2 (0)

MII Status: up

MII Polling Interval (ms): 100

Up Delay (ms): 200

Down Delay (ms): 200

Slave Interface: eth2

MII Status: up

Link Failure Count: 0

Permanent HW addr: 00:50:56:a3:73:69

Slave Interface: eth3

MII Status: up

Link Failure Count: 0

Permanent HW addr: 00:50:56:a3:73:70

[Expert@Gaia:0]#

Example output for 802.3ad mode:

[Expert@Gaia:0]# cat /proc/net/bonding/bond1

Ethernet Channel Bonding Driver: v3.2.4 (January 28, 2008)

Bonding Mode: IEEE 802.3ad Dynamic link aggregation

Transmit Hash Policy: layer2 (0)

MII Status: up

MII Polling Interval (ms): 100

Up Delay (ms): 200

Down Delay (ms): 200

802.3ad info

LACP rate: slow

Slave Interface: eth2

MII Status: up

Link Failure Count: 0

Permanent HW addr: 00:50:56:a3:73:69

Aggregator ID: 1

Slave Interface: eth3

MII Status: up

Link Failure Count: 0

Permanent HW addr: 00:50:56:a3:73:70

Aggregator ID: 1

[Expert@Gaia:0]#