Configuring Bond Load Sharing Mode

This section explains how to configure Load Sharing on a bond interface.

Run the CLI commands from the VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. (VS0) context.

In a VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. configuration, run these commands on each VSX Cluster Member Security Gateway that is part of a cluster..

Configure one of these Load Sharing modes for the bond interface:

Round Robin - Selects the Active subordinate interfaces sequentially.
802.3ad - Dynamically uses Active subordinate interfaces to share the traffic load. This mode uses the LACP protocol, which fully monitors the interface link between the Check Point Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and a switch.
XOR - All subordinate interfaces in the UP state are Active for Load Sharing. Traffic is assigned to Active subordinate interfaces based on the transmit hash policy: Layer 2 information (XOR of hardware MAC addresses), or Layer 3+4 information (IP addresses and Ports).

Configuring the Load Sharing Bond

This is a workflow of CLI commands to configure Link Aggregation in Load Sharing mode.

Notes:

For exact commands, see R81.10 Gaia Administration Guide.
When you are enslaving configured interfaces, make sure that these interfaces are not used in other configurations and that IP addresses are not assigned to them.

To configure the Link Aggregation in Load Sharing mode:

Add the bonding group.
Add subordinate interfaces to the bonding group.
Define the number of critical interfaces.
For configurations that use Performance Pack, configure the core affinities.
Make sure that the bond is configured correctly.
Open SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. and configure the VSX Cluster object.
- For a new Link Aggregation installation, create a new cluster object.
- For updating an existing configuration, update the interface topology.

Setting Critical Required Interfaces

Note - The Critical Required Interfaces feature is supported for ClusterXL only.

A Bond in Load Sharing mode is considered to be down when fewer than a critical minimal number of subordinate interfaces remain up. When not explicitly defined, the critical minimal number of subordinate interfaces, which must remain up, in a bond of n interfaces is n-1. Failure of an additional subordinate interface (when n-2 subordinate interfaces remain up) will cause the entire bond interface to be considered down, even if the bond contains more than two subordinate interfaces.

If a smaller number of subordinate interfaces will be able to handle the expected traffic, you can increase redundancy by explicitly defining the critical minimal number of subordinate interfaces. Divide your maximal expected traffic speed by the speed of your subordinate interfaces and round up to a whole number to determine an appropriate number of critical subordinate interfaces.

To define the critical number of subordinate interfaces explicitly, create and edit the following file:

$FWDIR/conf/cpha_bond_ls_config.conf

Each line of the file should be written in the following syntax:

<Name of Bond> <Critical Minimal Number of Subordinate Interfaces>

For example, if bond0 has 7 subordinate interfaces, and bond1 has 6 subordinate interfaces, file contents could be:

bond0 5

bond1 3

In this example:

bond0 would be considered down when 3 of its subordinate interfaces have failed.
bond1 would be considered down when 4 of its subordinate interfaces have failed.

Affinities of Bond Subordinate Interfaces to CPU Cores

For optimal performance, follow these guidelines:

Configure static affinities of bond subordinate interfaces to CPU Cores.
Whenever possible, dedicate one processing core to each interface.

If there are more physical interfaces than CPU cores, then some CPU cores handle two or more interfaces.

Use pairs of subordinate interface of the same position with internal and external bonds.

To view positions of subordinate interface in a bond, run in the Expert mode:

cat /proc/net/bonding/<Name of Bond Interface>

Note the sequence of the interfaces in the output.

Compare this sequence for the two bonds (external bond and its respective internal bond).

Subordinate interfaces that appear in the same position in the two bonds are interface pairs.

Set these pairs to be handled by one processing CPU core.

Example configuration

An appliance has:

Four processing CPU cores:

core 0, core 1, core 2, and core 3
Two bond interfaces:

bond0 with subordinate interfaces eth0, eth1, and eth2

bond1 with subordinate interfaces eth3, eth4, and eth5

In such case, two of the CPU cores need to handle two subordinate interfaces each.

An optimal configuration can be:

CPU core	bond0	bond1
0	eth0	eth3
1	eth1	eth4
2	eth2
3		eth5

For more information, see the R81.10 Performance Tuning Administration Guide:

Chapter CoreXL > Section Configuring Affinity Settings.
Chapter CoreXL > Section Affinity Settings for 16000 and 26000 Appliances.