Today, with new Check Point appliances, one can design a decent DC firewall. With multiple 10GB interfaces and bonds, one can fit Nexus network core throughput easily.
There is one caveat though. There are multiple known issues with 10GB interfaces on Check Point appliances, especially concerning bonding.
Firstly, there is an issue with LACP if jumbo frames are in use, described in sk86980. I have to say the solution is incomplete. For example, i mentions only three particular software versions, and mine was not listed there.
Secondly, there is a stability issue with jumbo frames, mentioned in sk99113.
Luckily, driver update from the second SK fixes LACP with jumbo frames too.
Amount of different versions that need patching (from R75.40 till R77.10, including quite recent R75.47) for the matter clearly shows that Check Point developers were not too concerned about jumbo frames for a long time. It looks like high end DC testing scenarios were not part of the regular QA test cycles.
I can only hope this will change in the future.
We are seeing that there is a general issue with the ixgbe 3.1.17 driver for 10g interfaces. Just last week we had an alert about this with a customer (we have a signature for the ixgbe driver) - they were running R71.50.ReplyDelete