Technical data
Working with Link Aggregation
Check Point VSX Administration Guide NGX R67 | 148
Changing an Existing Interface to a Bond
The following sample scenario demonstrates the procedure for configuring an existing VSX cluster to a use
a Link Aggregation bond. The VSX cluster members currently uses interface eth1 to connect to several
Virtual Machines and other virtual devices. Interface eth 2 is currently free and eth0 serves as the
management interface.
To create a new bond using eth1 and eth2 as slave interfaces:
1. On each member, create a new bond0 ("Defining the Interface Bond" on page 134) using only eth2 as
the slave interface.
2. On the management computer, use the vsx_util change_interfaces ("change_interfaces" on page 197)
command to replace eth1 with the new bond0.
3. Enslave eth1 to bond0 ("Enslaving Interfaces to a Bond" on page 145) on each member.
4. In SmartDashboard, remove eth1 and eth 2 from the VSX gateway ("Removing IP Addresses from Slave
Interfaces" on page 135) physical interfaces.
Troubleshooting Bonded Interfaces
Troubleshooting Workflow
1. Check the status of the bond, as detailed in
|
("Verifying that the Bond is Functioning Properly" on page
135).
2. If there is a problem, check if the physical link is down, as follows:
a) Execute the following command:
cphaconf show_bond <bond-name>
b) Look for a slave interface that reports the status of the link as no.
c) Check the cable connections and other hardware.
d) Check the port configuration on the switch.
3. Check if a cluster member is down, by running:
cphaprob state
If any of the cluster members have a Firewall State other than active, see "Monitoring Cluster
Status (cphaprob state)" in the R75.20 ClusterXL Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=12265)for further troubleshooting
help.
4. For further information regarding bond status and failovers, view logs in SmartView Tracker. Any
interface bond status change is logged and can be viewed in SmartView Tracker
Connectivity Delays on Switches
When using certain switches, connectivity delays may occur during some internal bond failovers. With the
various features that are now included on some switches, it can take close to a minute for a switch to begin
servicing a newly connected interface. The following are suggestions for reducing the startup time after link
failure.
1. Disable auto-negotiation on the relevant interface.
2. On some Cisco switches, enable PortFast, as detailed below.
Note - PortFast is not applicable if the bond group on the switch is configured as Trunk.
Warning Regarding Use of PortFast
The PortFast feature should never be used on ports that connect to other switches or hubs. It is important
that the Spanning Tree complete the initialization procedure in these situations. Otherwise, these