LAN Port Aggregation
-
@Firewalla,
Whether I personally have multi-gigabit Internet is a moot point as the entire premise behind the Firewalla Gold series is to support segmented networks in both Home and Small Business environments.
- This would provide link redundancy for the multiple VLANs that are currently spread out across multiple individual ports.
- This would provide the ability to connect the Firewalla Gold to multiple switches via an MLAG, or in stacking mode.
- This would ensure that failure of any one port, or cable, would not take down a third of the internal networks,
- This would allow up to 1Gbps file transfers between two internal VLANs without impacting throughput on one of the other VLANs headed to the Internet.
Your suggestion is to 'leave it on the switch', which I'm sure you know isn't an option since these are separate layer 3 networks, and the Firewalla Gold is acting as the router. Clearly, any layer 2 traffic for hosts in the same network would remain on the switch.
...ct
-
This sounds interesting. My Xfinity router has the option to enable port aggregation (Port 1 & 2). How would this work exactly with Firewalla Gold in Router mode?
Would I enable port aggregation in Xfinity, then in Firewalla Gold create another network and configure it as a backup in case the wire failed on the main WAN line?
-
In general link aggregation/bonding in the consumer / small business, is very likely to increase link bandwidth. (you can also do it with MultipleWAN, but that requires more modems).
This means link aggregation will only make sense if you have a WAN greater than 1Gigabit. If you don't, there is no point to bundle;
-
@Firewalla, yes I agree on the but what about the inter-network/vlan routing the default gw is on the firewalla it's limited to the links connected to the firewalla gold. an example is if I can virtualize firewalla can leverage my 10GB nic on my ESXi servers.
Even if this is not on the roadmap, virtualization of firewalla that is, if we can get the firewalla to learn via IP then I can move the router function to virtual pfsense lets say, and have the firewalla as my edge device. The reason I don't do this now is because I lose out on all the DPI function of firewalla as of now you learn via mac
-
Virtualized Firewalla is possible, but the problem is more on the economics. It is far easy for us to build hardware with 4 ports, and we know everything that's inside, software behavior is fairly deterministic. The cost of maintaining/support software on the virtualized env is going to be expensive.
-
Have 10G WAN (1:1), which is a bit of an overkill. However, I would like to understand when I can do Port Aggregation from my Firewalla Gold to switch. Currently I have the Gold running in Router Mode & everything is behind the firewall. This means I am limited to 1gb for the whole net. With the home office the network is pushed to the max by video conferences & streaming going on simultaneously.
Would be very happy when the feature is added. Interested in using the combination of port aggregation from WAN and LAN perspective as I have a switch & all Gold ports are gigabit. Happy to test once features come in beta.
-
Let me add that this is a feature that is much desired. Service is now available and many have, as do I, greater than 1 Gbps WAN speeds to the internet. Due to the lack of link aggregation nor multigigabit ethernet, I am not able to achieve the speeds I am paying for with the Firewalla Gold. Nor does it look like the Purple will be able to accommodate this need (I'm hopeful that can change before release) As such, I have opted to add a UDM Pro to my setup. I am keeping the FG because it serves a need that the UDMP doesn't do well. But, I have to say that the UDMP does seem to be a more capable machine in terms of port throughput, link aggregation, and port management; not to mention the other features that come along with it, and for less than the FG. It's really surprising. I would really like to use these two devices completely in tandem because they both do different things well, but the limited throughput on the Firewalla has limited my options there.
Important to note that the WAN aggregation is great, and works well, but I'm now unable to pipe that feed back into an aggregated connection on the LAN side, limiting the ability to use a simplified setup with consolidated traffic at 2Gbps. I've spent many hours and resets trying to get some configuration to work with the FG and it just won't do it.
"Waiting for internet speeds to justify the capability" (paraphrasing) isn't helping Firewalla in this market space as speeds continue to rise. I would encourage Firewalla to be a little more forward leaning in anticipating needs rather than trying to catch up after the fact. I like your product and I'd like to see you continue to succeed.
-
I hate to add to this older topic but those that are getting upset about LACP and port aggregation are not taking into account that you could have eight 1-gig links in a port-channel and the speed for any one device is still 1 gig. Traffic flows cross a single cable.....not all of them. The port aggregation is for handling "more" traffic flows at 1-gig as well as multi-device redundancy. Not for faster speeds.
-
@Jason, it is true that one would only have 1Gbps to a device on a 1Gbps link, but what if the link to the device was 2.5Gbps? Or what if all 6 devices wanted every bit of their 1Gbps link at the same time if two of those 8 were going out to the firewalla? Unless you are saying that the Firewalla Gold cannot do load balancing? Because they state it will on the WAN side. So why not on the LAN side as well? There are several use cases that can take advantage of 2Gbps or greater. If there aren't, why would they have load balancing on the WAN side? Unless I'm totally confused by your post and am reading this wrong.
How does port aggregation not handle faster speeds? Does it not allow 1Gbps across each aggregated link? I'm really confused because I have a switch with two 10Gbps ports linked that are going to a device with two 10Gbps ports also linked and it is telling me that it's operating at 20Gbps for bandwidth to the switch. That does seem like a faster speed to me than 10. And while it's true that end devices that use those services might be limited to 2.5 or 1Gbps, there will most likely not be a bottleneck for traffic flow in and out of the 20Gbps aggregated link if twenty 1Gbps feeds were needed at the same time.
Not only that, but the scenario you described is a good use case for needing 2Gbps through the firewall if you have 6 other devices hanging off an 8-port switch and all of that traffic is routed through the firewalla on two of the ports. While it is true the max speed of any of the 6 devices is 1Gbps (nevermind that you might have 2.5 or 10Gbps links on the switch), the total throughput could well be in excess of 2Gbps if the firewalla had the link speed to support it. So the firewalla becomes the bottleneck.
A good option here could be the Netgate 6100. It has some pretty impressive specs for the hardware and firewall capabilities as well as throughput. It solves the problem we're discussing by not only having faster links, but they also handle load balancing. The UDM Pro also handles faster speeds with faster links but I don't know if they do load balancing. Firewall throughput functions on the UDM Pro is similar to the Firewalla.
-
It would not matter. Link Aggregation is something that has been around for decades at this point. The speed of an individual traffic flow is governed by the slowest cable. So, if you had four 10-gig links in a port-channel, the overall throughput from Switch #1(S1) to Switch #2(S2) is 40 gig. But, say, a user connected via a 25-gig connection to (S1). That user has a 25-gig throughput from their machine to the switch. From there, if they are accessing anything on (S2), their maximum throughput will be rate limited to 10-gig.
Port-channel load balancing follows two typical methods, IP/MAC based or hash based. You can use either one, but the load for a given traffic flow is still going to be the max speed of an individual link. Not the overall port-channel.
WAN load balancing, again, would follow the same strategy. Once you have made a TCP connection to some server on the Internet, that traffic flow will not change from your ISP hand off to your Firewalla. The point of link aggregation is OVERALL bandwidth increase and redundancy. If your Firewalla was connected to a Cisco switch stack, then having multiple connections in a port-channel would allow for a single switch failure and still provide connectivity to those devices on the second switch.
Think of link aggregation as the Interstate. The speed is 80mph...at certain points, there are 2 lanes and other points there could 4 lanes. Your speed, for you, in your car, is still 80mph, but now there are 4 cars going 80mph. That's link aggregation in a 20,000 foot view nutshell.
If you want a little more technical on it, this isn't something that Firewalla can change or not change. This is part of the rules that govern TCP connectivity.
-
I mean, I am not trying to be difficult, a smartass, or a prick. I figured "why does load balancing exist" was a given. So that all traffic flows don't take a single cable out of the port-channel.
As to your sleight of hand comment about an being an engineer, good. I am glad you are one. But this is not an assessment. This is 25 years of Cisco certification telling you how it is. :-) I am not making this stuff up nor am I speculating. I am tell you, as someone who has been doing this a long time and on a global scale for very large companies, this is the way it is. There are some tricks to do things on a virtual level, but they are not 100% and typically involve something at the compute level. Two network devices, not so much. A $100,000 dollar Cisco switch still follows these same rules.
Please sign in to leave a comment.
Comments
33 comments