The administrator must make a judgment about the traffic being spread across the aggregated
physical interfaces and choose one of the following criteria for the distribution:
• DestinationMAC
• SourceIP
• DestinationIP
• SourcePort
• DestinationPort
• IP and Ports (the default)
Choosing the Distribution Method
The algorithm that spreads the traffic between the aggregated interfaces uses hashing with the
chosen distribution method as the input. The best distribution method is therefore the one
which varies the most. For example, if the source of traffic is a number of internal clients being
NATed to the Internet via an ISP, the best choice for the distribution method is most likely
SourcePort since this will be chosen randomly as each connection is opened by a client.
An alternative in the above scenario could be SourceIP but only if there is a sufficiently large
number of clients. With just a few clients, SourceIP might end up with only one of the aggregated
interfaces being used.
If aggregation is being done for a protected web server receiving external requests from remote
clients over the public Internet, the DestinationIP would not be suitable since all connections
would have the server's address. Instead, the more variable SourceIP would be a better choice for
the distribution method.
The hashing process to choose the physical Ethernet interface to use takes place each time a new
connection is opened. This means that all packets for a given connection will be sent on the
same physical interface. The chosen interface for the connection would then only subsequently
change if the chosen mode was dynamic and the connection fails.
The Default IP and Ports Distribution Method
The default distribution method is IP and Ports and this takes into account both the source and
destination IP address as well as the source and destination port number. It is designed to be a
general catch-all solution where the traffic type is known to be variable or where the
administrator is uncertain which of the more specific distribution is suitable.
Physical Switch Connections
The physical cable links between the firewall and the external switch can be made either before
or after creating the LinkAggregation object and activating the changed configuration.
NetDefendOS will try to send data on the aggregated interfaces as soon as the configuration
changes become active.
However, it is recommended that the physical cabling is in place before the LinkAggregation
object is activated and saved. This will provide the behavior which is expected from the feature
and is particularly relevant if negotiated aggregation (LACP) is used.
Setup with High Availability
When using link aggregation with HA, the connections from the Ethernet ports on each firewall
in the HA cluster can connect to the same or different switches. However, if using the same
switch, the switch must be configured so that the connections from each firewall are kept
separate by creating two link aggregation groups in the switch.
Chapter 3: Fundamentals
194
To Next Page
Loading...
