Bond Interfaces (Link Aggregation)

Check Point security devices support Link Aggregation, a technology that joins multiple physical interfaces into one virtual interface, known as a bond interface. The bond interface share the load among many interfaces, which gives fault tolerance and increases throughput. Check Point devices support the IEEE 802.3ad Link Aggregation Control Protocol (LACP) for dynamic link aggregation.

Item No.	Description
1	Security Gateway
1A	Interface 1
1B	interface 2
2	Bond Interface
3	Router

A bond interface (also known as a bonding group or bond) is identified by its Bond ID (for example: bond1) and is assigned an IP address. The physical interfaces included in the bond are called slaves and do not have IP addresses.

You can define a bond interface to use one of these functional strategies:

High Availability (Active/Backup): Gives redundancy when there is an interface or a link failure. This strategy also supports switch redundancy. Bond High Availability works in Active/Backup mode - interface Active/Standby mode. When an Active slave interface is down, the connection automatically fails over to the primary slave interface. If the primary slave interface is not available, the connection fails over to a different slave interface.
Load Sharing (Active/Active): All slave interfaces in the UP state are used simultaneously. Traffic is distributed among the slave interfaces to maximize throughput. Bond Load Sharing does not support switch redundancy.
Note - Link Aggregation Load Sharing mode requires SecureXL to be enabled on Security Gateway or each cluster member.

You can configure Bond Load Sharing to use one of these modes:
- Round Robin - Selects the Active slave interfaces sequentially.
  Note - This mode is not supported on Security Groups.
- 802.3ad - Dynamically uses Active slave interfaces to share the traffic load. This mode uses the LACP protocol, which fully monitors the interface link between the Check Point Security Gateway and a switch.
- XOR - All slave interfaces in the UP state are Active for Load Sharing. Traffic is assigned to Active slave interfaces based on the transmit hash policy: Layer 2 information (XOR of hardware MAC addresses), or Layer 3+4 information (IP addresses and Ports).
- ABXOR - Slave interfaces in the UP state are assigned to sub-groups called bundles. Only one bundle is Active at a time. All slave interfaces in the Active bundle share the traffic load. The system assigns traffic to all interfaces in the Active bundle based on the defined transmit hash policy.
  Note - This mode is supported only on Security Groups.

For Link Aggregation High Availability mode and for Link Aggregation Load Sharing mode:

The number of bond interfaces that can be defined is limited by the maximal number of interfaces supported by each platform. See the R80.30SP Release Notes.
Up to 8 slave interfaces can be configured in a single High Availability or Load Sharing bond interface.

Configuring Bond Interfaces - Gaia Portal

To configure a bond interface:

Step	Description
1	In the navigation tree, click Network Management > Network Interfaces.
2	Make sure that the slave interfaces, which you wish to add to the Bond interface, do not have IP addresses.
3	For a new bond interface, select Add > Bond. To edit an existing Bond interface, select the Bond interface and click Edit.
4	On the IPv4 tab, enter the IPv4 address and subnet mask. Note - R80.30SP does not support the option Obtain IPv4 address automatically (see MBS-3246 in sk148074).
5	On the IPv6 tab (optional), enter the IPv6 address and mask length. Important - First, you must enable the IPv6 Support and reboot. Notes: R80.30SP does not support the option Obtain IPv6 address automatically (see MBS-3246 in sk148074). R80.30SP does not support IPv6 (see MBS-7903 in sk162552).
6	On the Bond tab: Select or enter a Bond Group ID. This parameter is an integer between 0 and 1024. Select the slave interfaces from the Available Interfaces list and then click Add. Note - Make sure that the slave interfaces do not have any IP addresses or aliases configured. Select an Operation Mode: Round Robin (default) - Bond uses all slave interfaces sequentially (High Availability + Load Sharing) Active-Backup - Bond uses one slave interface at a time (High Availability) XOR - Bond uses slave interfaces based on a hash function (High Availability + Load Sharing) 802.3ad - Dynamic bonding according to IEEE 802.3ad (Load Sharing)
7	On the Advanced tab: Set the required MTU for your network (if not sure, leave the default value). Set the Monitor Interval - How much time to wait between checking each slave interface for link-failure. The valid range is 1-5000 ms. The default is 100 ms. Set the Down Delay - How much time to wait, after sending a monitor request to a slave interface, before bringing down the slave interface. The valid range is 1-5000 ms. The default is 200 ms. Set the Up Delay - How much time to wait, after sending a monitor request to a slave interface, before bringing up the slave interface. The valid range is 1-5000 ms. The default is 200 ms.
8	Additional configuration settings are available depending on the selected Bond Operation Mode: If selected the Round Robin bond operation mode, then there are no additional configuration settings. If selected the Active-Backup bond operation mode, then select the Primary Interface If selected the XOR bond operation mode, then select the Transmit Hash Policy - the algorithm for slave interface selection according to the specified TCP/IP Layer. Select either Layer 2 (uses XOR of the physical interface MAC address), or Layer 3+4 (uses Layer 3 and Layer 4 protocol data). If selected the 802.3ad bond operation mode, then perform these two steps: Select the Transmit Hash Policy - the algorithm for slave interface selection according to the specified TCP/IP Layer. Select either Layer 2 (uses XOR of the physical interface MAC address), or Layer 3+4 (uses IP addresses and Ports). Select the LACP Rate - how frequently the LACP partner should transmit LACPDUs. Select either Slow (every thirty seconds), or Fast (every one second).
9	Click OK.

Configuring Bond Interfaces - Gaia Clish

In the CLI, bond interfaces are known as bonding groups.

Important: After you run a Gaia Clish command to add, configure, or delete an object, run the save config command to save the settings permanently.

To create a bond interface in the Gaia Clish:

Step	Description
1	Make sure that the slave interfaces do not have IP addresses.
2	Create the bond interface.
3	Define the slave interfaces and set them to the UP state.
4	Set the bond operating mode.
5	Define other bond parameters: primary interface, media monitoring, and delay rate.

Link Aggregation (bonding) - quick reference for Gaia Clish commands

This is a quick reference for Link Aggregation commands. Use these commands to configure Link Aggregation.

Note - On Security Groups, you must run these commands in gClish.

Syntax

add bonding group <bondID>

add bonding group <bondID> interface <name_of_slave_interface>

set bonding group <bondID>

mode active-backup [primary <name_of_slave_interface>]

mode round-robin

mode 8023AD [lacp-rate {slow | fast}]

mode xor xmit-hash-policy {layer2 | layer3+4}

mode ABXOR xmit-hash-policy {layer2 | layer3+4} [abxor-threshold <min number of UP slave interfaces>]

[up-delay <value 0...5000 ms>]

[down-delay <value 0...5000 ms>]

[monitoring-type {arp <options> | mii <options>}]

delete bonding group <bondID> [interface <IF_Name> | force-ignore-routes]

show bonding {group <bondID> | groups}

Parameters

Parameter	Description
<bondID>	Specifies the ID of the Bond (an integer between 1 and 1024)
<name_of_slave_interface>	Specifies the name of the slave interface to add to the bond, or remove from the bond
`mode`	Specifies the Bond operating mode: `active-backup` `round-robin` (not supported on Security Groups) `8023AD` `xor` `ABXOR` (supported only on Security Groups)
`primary`	Specifies the name of the primary slave interface in the bond. The first slave interface added to the bond group, becomes the primary. Note - Applies only to the active-backup bond mode.
`up-delay`	Specifies the time in milliseconds to wait before enabling a slave after link recovery has been detected (0-5000 ms, default = 200 ms)
`down-delay`	Specifies the time in milliseconds to wait before disabling a slave after link failure has been detected (0-5000 ms, default = 200 ms)
`lacp-rate`	Specifies the Link Aggregation Control Protocol packet transmission rate: `slow` - LACPDU packets are sent every 30 seconds `fast` - LACPDU packets are sent every second Note - Applies only to the 802.3AD bond mode.
`monitoring-type`	Specifies the Bond monitoring type: `arp` - ARP monitoring `mii` - Media monitoring
`xmit-hash-policy`	Specifies the algorithm to use for assigning the traffic to Active slave interfaces: `layer2` - Based on the XOR of hardware MAC addresses `layer3+4` - Based on the IP addresses and Ports Note - Applies only to the XOR and ABXOR bond modes.
`abxor-threshold`	Specifies the minimal number of slave interfaces that must be in the UP sate for a bundle to be Active. Note - Applies only to the ABXOR bond mode on Scalable Platforms.

Example 1

gaia> add bonding group 1

gaia> add bonding group 1 interface eth2

gaia> add bonding group 1 interface eth3

gaia> set bonding group 1 mode active-backup primary eth2

gaia> show bonding group 1

Bond Configuration

xmit-hash-policy Not configured

down-delay 200

primary eth2

monitoring-type Not configured

arp-target-ip Not configured

lacp-rate Not configured

mode active-backup

up-delay 200

mii-interval 100

Bond Interfaces

eth2

eth3

gaia>

Example 2

gaia> add bonding group 1

gaia> add bonding group 1 interface eth2

gaia> add bonding group 1 interface eth3

gaia> set bonding group 1 mode xor xmit-hash-policy layer3+4

gaia> show bonding group 1

Bond Configuration

xmit-hash-policy layer3+4

down-delay 200

primary Not configured

monitoring-type Not configured

arp-target-ip Not configured

lacp-rate Not configured

mode xor

up-delay 200

mii-interval 100

Bond Interfaces

eth2

eth3

gaia>

Example 3

gaia> add bonding group 1

gaia> add bonding group 1 interface eth2

gaia> add bonding group 1 interface eth3

gaia> set bonding group 1 mode xor xmit-hash-policy layer3+4

gaia> set bonding group 1 monitoring-type mii mii-interval 50

gaia> show bonding group 1

Bond Configuration

xmit-hash-policy layer3+4

down-delay 100

primary Not configured

monitoring-type mii

arp-target-ip 0

lacp-rate Not configured

mode xor

up-delay 100

mii-interval 50

Bond Interfaces

eth2

eth3

gaia>

Example 4

gaia> add bonding group 1

gaia> add bonding group 1 interface eth2

gaia> add bonding group 1 interface eth3

gaia> set bonding group 1 mode xor xmit-hash-policy layer3+4

gaia> set bonding group 1 monitoring-type arp arp-target-ip 192.168.1.1

gaia> show bonding group 1

Bond Configuration

xmit-hash-policy layer3+4

down-delay 0

primary Not configured

monitoring-type arp

arp-target-ip 192.168.1.1

lacp-rate Not configured

mode xor

up-delay 0

mii-interval 0

Bond Interfaces

eth2

eth3

gaia>

Creating a Bond Interface

Syntax

add bonding group <bondID>

Example:

add bonding group 777

Notes:

On Security Groups, you must run this command in gClish.
Do not change the state of bond interface manually using the set interface bondID state command. This is done automatically by the bonding driver.

Adding Slave Interfaces to a Bond

Syntax

add bonding group <bondID> interface <IF_Name>

Example:

add bonding group 777 interface eth4

Notes:

The slave interfaces must not have IP addresses assigned to them.
A bond interface can contain between two and eight slave interfaces.
On Security Groups, you must run this command in gClish.

Deleting Slave Interfaces from a Bond

Syntax

delete bonding group <bondID> interface <IF_Name>

Example:

delete bonding group 777 interface eth4

Notes:

You must delete all non-primary slave interfaces before you remove the primary slave interface.
On Security Groups, you must run this command in gClish.

Deleting a Bond Interface

Syntax

delete bonding group <bondID>

Example:

delete bonding group 777

Notes:

You must delete all non-primary slave interfaces before you remove the primary slave interface.
You must delete all slave interfaces from the bond before you remove the bond interface.
Do not change the state of bond interface manually using the set interface bondID state command. This is done automatically by the bonding driver.
On Security Groups, you must run this command in gClish.

Configuring the Bond Operating Mode

Bond operating mode specifies how slave interfaces are used in a bond interface.

Syntax

set bonding group <bondID> mode active-backup [primary <name_of_slave_interface>]

set bonding group <bondID> mode round-robin

set bonding group <bondID> mode 8023AD [lacp-rate {slow | fast}]

set bonding group <bondID> mode xor xmit-hash-policy {layer2 | layer3+4}

set bonding group <bondID> mode ABXOR xmit-hash-policy {layer2 | layer3+4} [abxor-threshold <min number of UP slave interfaces>]

Example:

set bonding group 1 mode active-backup primary eth2

set bonding group 1 mode xor xmit-hash-policy layer3+4

Example for Security Groups:

set bonding group 4 mode 8023AD

1_01:

success

1_02:

success

1_03:

success

2_01:

success

2_03:

success

Notes:

On Security Groups, you must run these commands in gClish.
The Active-Backup mode supports configuration of the primary slave interface.
The Round-Robin mode is not supported on Security Groups.
The XOR mode requires the configuration of the transmit hash policy.
The ABXOR mode:
- Is supported only on Security Groups. See the R80.30SP Security Groups Administration Guide.
- Requires the configuration of the transmit hash policy.
- Supports configuration of the minimal number of slave interfaces that must be in the UP sate for a bundle to be Active.
The 8023AD mode supports the configuration of the LACP packet transmission rate.

Configuring the Bond Monitoring

You can configure the monitoring of the slave interfaces for link-failure.

Syntax

set bonding group <bondID> monitoring-type arp arp-target-ip <IPv4_Address>

set bonding group <bondID> monitoring-type mii mii-interval<0...5000 milliseconds>

Example:

set bonding group 1 monitoring-type arp arp-target-ip 192.168.1.1

set bonding group 1 monitoring-type mii mii-interval 50

Notes:

On Security Groups, you must run these commands in gClish.
Default mii-interval value is 100 ms.

Configuring the Up Delay and Down Delay Times

The Up-Delay specifies show much time in milliseconds to wait before enabling a slave after link recovery has been detected.

Syntax

set bonding group <bondID> up-delay <0...5000 ms>

Example:

set bonding group 1 up-delay 100

The Down-Delay specifies how much time in milliseconds to wait before disabling a slave after link failure has been detected

Syntax

set bonding group <bondID> down-delay <0...5000 ms>

Example:

set bonding group 1 down-delay 100

Notes:

On Security Groups, you must run these commands in gClish.
The default up-interval value is 200 ms.
The default down-interval value is 200 ms.

Making Sure that Bond Interface is Working

To make sure that a Bond interface is working, run this command in Expert mode:

[Expert@Gaia:0]# cat /proc/net/bonding/<Bond Group ID>

Example output for Round Robin mode:

[Expert@Gaia:0]# cat /proc/net/bonding/bond1

Ethernet Channel Bonding Driver: v3.2.4 (January 28, 2008)

Bonding Mode: load balancing (round-robin)

MII Status: up

MII Polling Interval (ms): 100

Up Delay (ms): 200

Down Delay (ms): 200

Slave Interface: eth2

MII Status: up

Link Failure Count: 0

Permanent HW addr: 00:50:56:a3:73:69

Slave Interface: eth3

MII Status: up

Link Failure Count: 0

Permanent HW addr: 00:50:56:a3:73:70

[Expert@Gaia:0]#

Example output for Active-Backup mode:

[Expert@Gaia:0]# cat /proc/net/bonding/bond1

Ethernet Channel Bonding Driver: v3.2.4 (January 28, 2008)

Bonding Mode: fault-tolerance (active-backup)

Primary Slave: eth2

Currently Active Slave: eth2

MII Status: up

MII Polling Interval (ms): 100

Up Delay (ms): 200

Down Delay (ms): 200

Slave Interface: eth2

MII Status: up

Link Failure Count: 0

Permanent HW addr: 00:50:56:a3:73:69

Slave Interface: eth3

MII Status: up

Link Failure Count: 0

Permanent HW addr: 00:50:56:a3:73:70

[Expert@Gaia:0]#

Example output for XOR mode:

[Expert@Gaia:0]# cat /proc/net/bonding/bond1

Ethernet Channel Bonding Driver: v3.2.4 (January 28, 2008)

Bonding Mode: load balancing (xor)

Transmit Hash Policy: layer2 (0)

MII Status: up

MII Polling Interval (ms): 100

Up Delay (ms): 200

Down Delay (ms): 200

Slave Interface: eth2

MII Status: up

Link Failure Count: 0

Permanent HW addr: 00:50:56:a3:73:69

Slave Interface: eth3

MII Status: up

Link Failure Count: 0

Permanent HW addr: 00:50:56:a3:73:70

[Expert@Gaia:0]#

Example output for 802.3ad mode:

[Expert@Gaia:0]# cat /proc/net/bonding/bond1

Ethernet Channel Bonding Driver: v3.2.4 (January 28, 2008)

Bonding Mode: IEEE 802.3ad Dynamic link aggregation

Transmit Hash Policy: layer2 (0)

MII Status: up

MII Polling Interval (ms): 100

Up Delay (ms): 200

Down Delay (ms): 200

802.3ad info

LACP rate: slow

Slave Interface: eth2

MII Status: up

Link Failure Count: 0

Permanent HW addr: 00:50:56:a3:73:69

Aggregator ID: 1

Slave Interface: eth3

MII Status: up

Link Failure Count: 0

Permanent HW addr: 00:50:56:a3:73:70

Aggregator ID: 1

[Expert@Gaia:0]#