Technical data
Working with Link Aggregation
Check Point VSX Administration Guide NGX R67 | 136
Defining the Interface Bond
When the slave interfaces are without IP addresses, define the bond:
1. Start the SecurePlatform configuration utility:
sysconfig
2. Select Network Connections.
3. Select Add new connection.
4. Select Bond.
5. For each interface to be enslaved under the bond, type its number in the list, and press Enter.
6. Enter n to go to the next step.
7. Select High Availability.
8. Choose whether to use default parameters (recommended) or to customize them.
9. Choose whether to set a primary slave interface, or not (recommended).
A primary slave interface, after failing and coming back up, automatically returns to Active status, even if
failover to the other interface occurred. If there is no primary interface, failover causes the other interface
to become active and remain so until it fails.
10. Define the IP address and network mask of the new interface bond.
11. Exit the SecurePlatform configuration utility.
Defining Slave Interfaces as Disconnected
In a bond, slave interfaces should be configured as disconnected. Disconnected interfaces are cluster
member interfaces that are not monitored by the ClusterXL mechanism. If a disconnected interface fails,
failover does not occur.
To define a slave interface as disconnected in SecurePlatform:
1. On the cluster member machine, open the file named discntd.if in the directory $FWDIR/conf/ in a text
editor. If this file does not yet exist, you need to create it.
2. Enter the name of each physical interface contained in the bond on a separate line, as shown in the
following example:
pimreg
eth5
eth6
3. Repeat this process for each member.
Verifying that the Bond is Functioning Properly
After installation or failover, it is recommended to verify that the bond is up, by displaying bond information.
1. Execute the following command:
cphaprob -a if
Check that the bond status is reported as UP, using the cphaprob -a if command.
2. Execute the following command:
cphaconf show_bond <bond name>
Check that the bond is correctly configured, using the cphaconf show_bond command.
Reconfiguring Topology
At this point, you need to reconfigure the relevant objects to connect to the newly created bond. This
includes Virtual Systems, Virtual Routers and Virtual Switches. You can perform these actions using
SmartDashboard. In most cases, these definitions can be found in the object Properties window.
For large existing VSX deployments containing many Domain Management Servers and virtual devices, use
the vsx_util change_interfaces command to reconfigure existing object topologies. For example, in a Multi-
Domain Security Management deployment with 200 Domains, each with many virtual devices, it is much
faster to use vsx_util change_interfaces. This command automatically replaces the interface with the new
bond on all relevant objects.