Best practice to configure interfaces for Check Point synchronization circuit
Article ID: 167993
Updated On:
Products
XOS
Issue/Introduction
It is recommended that Check Point sync interface has a second interface using the redundancy interface feature of XOS.It is recommended that Check Point sync interface has a second interface using the redundancy interface feature of XOS.
Cause
To document the best practice when configuring physical interfaces for Check Point sync circuit.
Resolution
It is recommended that Check Point sync interface has a second interface configured using the redundancy interface feature of XOS:
circuit sync
It is recommended NOT to use group-interface (LACP) for Check Point synchronization. Check Point synchronization traffic mainly uses only 2 IP addresses - the source 0.0.0.0 and the synchronization network broadcast address as the destination (192.168.255.255 in the above example). This traffic is considered a single flow and as such cannot be distributed over multiple physical links. It must be transmitted over a single interface and there is no benefit in using LACP.
When LACP is configured for sync, there is even a potential performance degradation issue if the neighbor switch selects another link in the bundle to transmit the sync traffic than X-series. Such scenario leads to flow reclassification on the NPM and may cause sync issues on the cluster members.
circuit sync
device-name sync
link-state-resistant
vap-group fw
ip 192.168.255.1/24 192.168.255.255 increment-per-vap 192.168.255.2
interface ethernet 1/16
logical sync
circuit sync
interface ethernet 2/16
standby-only
redundancy-interface master ethernet 1/16 backup ethernet 2/16 mac-usage master
failovermode preemption-off
failovermode preemption-off
It is recommended NOT to use group-interface (LACP) for Check Point synchronization. Check Point synchronization traffic mainly uses only 2 IP addresses - the source 0.0.0.0 and the synchronization network broadcast address as the destination (192.168.255.255 in the above example). This traffic is considered a single flow and as such cannot be distributed over multiple physical links. It must be transmitted over a single interface and there is no benefit in using LACP.
When LACP is configured for sync, there is even a potential performance degradation issue if the neighbor switch selects another link in the bundle to transmit the sync traffic than X-series. Such scenario leads to flow reclassification on the NPM and may cause sync issues on the cluster members.
Workaround
N/AFeedback
Yes
No
Powered by
