Bond Interfaces (Link Aggregation)

Check Point security devices support Link Aggregation, a technology that joins multiple physical interfaces into one virtual interface, known as a bond interface.

The bond interface share the load among many interfaces, which gives fault tolerance and increases throughput. Check Point devices with the GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. OS kernel 3.10 and higher support the IEEE 802.3ad and IEEE 802.1ax Link Aggregation Control Protocol (LACP) for dynamic link aggregation.

Item

Description

1

Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.

1A

Interface 1

1B

Interface 2

2

Bond Interface

3

Router

A bond interface (also known as a bonding group or bond) is identified by its Bond ID (for example: bond1) and is assigned an IP address. The physical interfaces included in the bond are called subordinate interfaces and do not have IP addresses.

You can configure a bond interface to use one of these functional strategies:

Gives redundancy when there is an interface or a link failure. This strategy also supports switch redundancy.

Bond High Availability works in Active/Backup mode - interface Active/Standby mode. When an Active subordinate interface is down, the connection automatically fails over to the primary subordinate interface. If the primary subordinate interface is not available, the connection fails over to a different subordinate interface.

All subordinate interfaces in the UP state are used simultaneously.

Traffic is distributed among the subordinate interfaces to maximize throughput. Bond Load Sharing does not support switch redundancy.

Note - Bonding Load Sharing mode requires SecureXLClosed Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. to be enabled on Security Gateway or each Cluster MemberClosed Security Gateway that is part of a cluster..

You can configure Bond Load Sharing to use one of these modes:

Mode

Description

Round Robin

Selects the Active subordinate interfaces sequentially.

Note - Scalable Platforms (Maestro and Chassis) do not support this feature (Known Limitation MBS-4080).

802.3ad

Dynamically uses Active subordinate interfaces to share the traffic load.

This mode uses the LACP protocol, which fully monitors the interface link between the Check Point Security Gateway and a switch.

Check Point devices with the Gaia OS kernel 3.10 and higher support the IEEE 802.3ad and IEEE 802.1ax Link Aggregation Control Protocol (LACP) for dynamic link aggregation.

XOR

All subordinate interfaces in the UP state are Active for Load Sharing.

Traffic is assigned to Active subordinate interfaces based on one of these transmit hash policies:

  • Layer 2 information (XOR of hardware MAC addresses)

  • Layer 3+4 information (IP addresses and Ports)

ABXOR

Subordinate interfaces in the UP state are assigned to sub-groups called bundles.

Only one bundle is Active at a time.

All subordinate interfaces in the Active bundle share the traffic load.

The system assigns traffic to all interfaces in the Active bundle based on the defined transmit hash policy.

Note - Scalable Platforms (Maestro and Chassis) do not support this feature (Known Limitation MBS-1520).

For Bonding High Availability mode and for Bonding Load Sharing mode:

  • The number of bond interfaces that can be defined is limited by the maximal number of interfaces supported by each platform.

    See the R81.10 Release Notes.

  • Up to 8 physical subordinate interfaces can be configured in a single bond interface.