Advanced Networking Link Aggregation Course # 3101 6/25/14 © 2009 GTA, INC. 1 CONFIDENTIAL & PROPRIETARY, NOT FOR DISTRIBUTION. What does Link Aggregation do on GTA Firewalls? ▪ Binds or aggregates two or more Ethernet interfaces to act as one interface. ▪ Provides redundant Interfaces in the event of ▪ ▪ ▪ ▪ NIC failure on firewall Port failure on switch Switch failure if multiple switches are used Cable failure ▪ Provides Increased Through Put in some instances. ▪ Supported both IPv4 & IPv6 Addresses 2 © 2009 GTA, INC. CONFIDENTIAL & PROPRIETARY, NOT FOR DISTRIBUTION. What LAG does not do? ▪ Does not aggregate different Internet connections. ▪ Does not bridge the connections. 3 © 2009 GTA, INC. CONFIDENTIAL & PROPRIETARY, NOT FOR DISTRIBUTION. Link Aggregation 4 configurations ! ▪ LACP -Link Aggregation Control Protocol ▪ Fail over ▪ Load Balance ▪ Round Robin 4 © 2009 GTA, INC. CONFIDENTIAL & PROPRIETARY, NOT FOR DISTRIBUTION. Requirements ▪ GB-OS 5.2 or later ▪ LACP – Switch or Switches that support LACP ▪ 3 or more interfaces ▪ All GTA Firewalls support Link Aggregation 5 © 2009 GTA, INC. CONFIDENTIAL & PROPRIETARY, NOT FOR DISTRIBUTION. Configure a Link Aggregation ▪ [Network -> Interfaces -> Settings] ▪ Select an Interface and set type to the LAG required. ▪ Click plus to add additional interfaces 6 © 2009 GTA, INC. CONFIDENTIAL & PROPRIETARY, NOT FOR DISTRIBUTION. LAG Properties ▪ ▪ ▪ Once an Interface is added to a LAG it is treated as a single interface Primary Interface or port is interface in index 1 of the LAG interface. MAC address – LAG interface assume the MAC address of the NIC in the primary index. ▪ Example above the there are two LAGG’s ▪ Eth4 & eth5 MAC 00:90:fb:33:6e:18 (EM4 & EM5) ▪ Eth6 & eth7 mac 00:1b:21:86:d8:f8 (IGB0 & IGB1) 7 © 2009 GTA, INC. CONFIDENTIAL & PROPRIETARY, NOT FOR DISTRIBUTION. LACP ▪ LACP will negotiate a set of links between the firewall and a peer. ▪ Each LAG is composed of one or more links set to the same speed and duplex. ▪ Packets will be balanced across all active ports ▪ Current Implementation does not allow administrative variables to be set ▪ Always uses Active Mode ▪ 0x8000 as system and port priorities. 8 © 2009 GTA, INC. CONFIDENTIAL & PROPRIETARY, NOT FOR DISTRIBUTION. Peer Switch Using LACP Eth4 & eth5 MAC 00:90:fb:33:6e:18 (EM4 & EM5) Eth6 & eth7 MAC 00:1b:21:86:d8:f8 (IGB0 & IGB1) 9 © 2009 GTA, INC. CONFIDENTIAL & PROPRIETARY, NOT FOR DISTRIBUTION. Fail Over ▪ Sends and receives traffic only through primary port ▪ If primary port fails or connection is broken the second interface takes over the connections 10 © 2009 GTA, INC. CONFIDENTIAL & PROPRIETARY, NOT FOR DISTRIBUTION. Round Robin ▪ Basic algorithm where outbound packets are distributed using a round robin approach ▪ Accepts packets on all configured ports that are up. 11 © 2009 GTA, INC. CONFIDENTIAL & PROPRIETARY, NOT FOR DISTRIBUTION. Load Balance ▪ Similar to Cisco Fast Ethernet Channel (FEC) ▪ Configuration where firewall does not negotiate the aggregation ▪ Accepts inbound packets on all configured and up interfaces. ▪ Balance the packets passing outbound through the firewall interface over the ports configured and up in the LAG. ▪ Algorithm for this includes in the calculation ▪ Source IP ▪ Destination IP 12 © 2009 GTA, INC. CONFIDENTIAL & PROPRIETARY, NOT FOR DISTRIBUTION. Overview Display A Green up arrow indicates an interface is physically connected. A Red Down Arrow indicates the interface is not connected. 13 © 2009 GTA, INC. CONFIDENTIAL & PROPRIETARY, NOT FOR DISTRIBUTION. Log Oct 14 13:32:40 pri=4 msg="alarm: Interface PROTECTED (eth4) down” Oct 14 13:33:52 pri=5 msg="alarm: Interface PROTECTED (eth4) up" 14 © 2009 GTA, INC. CONFIDENTIAL & PROPRIETARY, NOT FOR DISTRIBUTION. Monitoring [Monitor -> Activity -> Network -> Statistics] ▪ Connections will show only on lagg interface name. ▪ Individual totals will display © 2009 GTA, INC. 15 CONFIDENTIAL & PROPRIETARY, NOT FOR DISTRIBUTION. Monitoring [Monitor -> Reporting -> Historical Statistics -> Bandwidth] ▪ Lagg0 is eht6 and eth7 16 © 2009 GTA, INC. CONFIDENTIAL & PROPRIETARY, NOT FOR DISTRIBUTION. Notification of Link Down ▪ SNMP Trap is sent if Alarms notifications is enabled and SNMP Trap Manager is configured in [Configure -> System -> Notifications] section. The Firewall will send on both up and down events. ▪ Log Messages – ▪ ▪ Interface Down - Oct 20 13:38:51 pri=4 msg="alarm: Interface PROTECTED (eth0) down“ Interface Up - Oct 20 13:39:03 pri=5 msg="alarm: Interface PROTECTED (eth0) up" 17 © 2009 GTA, INC. CONFIDENTIAL & PROPRIETARY, NOT FOR DISTRIBUTION. HA Link Aggregation 18 © 2009 GTA, INC. CONFIDENTIAL & PROPRIETARY, NOT FOR DISTRIBUTION. FAQ ▪ Can I use LAG with VLAN’s? ▪ No, currently VLAN’s are not supported on LAG interfaces. ▪ Is LAG useful if the firewall has only 3 interfaces? ▪ Load balancing will have little effect. However, interface fail over will be useful in some instances. ▪ Can I use LAG with DHCP? ▪ Yes, LAG interfaces using DHCP is supported. ▪ Can I bridge LAG interfaces? ▪ No, bridging and LAG are not supported.. ▪ Can I use LAG with PPP? ▪ No, you cannot use PPP interface with LAG 19 © 2009 GTA, INC. CONFIDENTIAL & PROPRIETARY, NOT FOR DISTRIBUTION. If you require additional assistance or have additional questions please contact GTA Technical Support. ▪ Email: support @gta.com ▪ Support Line Phone: 1.407.482.6925 ▪ Normal Hours – 0830-1900 EST U.S. ▪ Free User Support – http://forum.gta.com 6/25/14 © 2009 GTA, INC. Global Technology Associates, Inc. 20 CONFIDENTIAL & PROPRIETARY, NOT FOR DISTRIBUTION. References ▪ GTA Online Documentation - http://www.gta.com/support/documents ▪ FreeBSD LAG Information - http://www.freebsd.org/doc/en/books/handbook/ network-aggregation.html 21 © 2009 GTA, INC. CONFIDENTIAL & PROPRIETARY, NOT FOR DISTRIBUTION.
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project
advertisement
© 2021