Options

Link Aggregation best practices

m33dm33d
in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

Hello,

I am trying to configure link aggregation to multiply our bandwidth, but since we have two switches (master and backup), I would like to configure two link aggregations with 2 physical interfaces each (in dynamic mode) so that we can have a backup line if our master switch ever goes down. Do I have to do this or do I have to create a single link aggregation with 4 physical interfaces, 2 connected to each switch?

Thank you in advance,

Comments

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @m33d

    The biggest thing is making sure that the device you're plugging into supports the same mode(s) and they're both set up the same way. Most everything defauts to active/backup, which will only use one of the links and keep the other as a backup.

    Read this for a description of what each do:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/link_aggregation_about_c.html

    Static is probably what you're looking to use if you want to load balance the way you described.

    Please also check the datasheet for your firewall to ensure that it can operate at the speeds you want it to. The "Firewall" figure only shows how many bits the firewall can shovel around to all ports (basically how many bits it can move in total across everyhing it has.) Most data streems will be in one interface and out another. Looking at the IMIX numbers (if there are any) or the IPS/UTM numbers for older devices give a better picture of single stream data throughput.

    Also keep in mind that bonding two interfaces will not supply double the bandwidth. Under best case circumstances, you'll be looking at a 60ish percent increase. if one goes down for some reason, you'll also loose that, so there's not a lot of fault tolerance.

    Finally, some of our firewalls have interchangable interface bays.
    Some have SPF+ interfaces built in. If your device supports it, a 10G card and tranceiver may be a better option for you.

    -James Carson
    WatchGuard Customer Support

  • Options
    m33dm33d

    @James_Carson said:
    Hi @m33d

    The biggest thing is making sure that the device you're plugging into supports the same mode(s) and they're both set up the same way. Most everything defauts to active/backup, which will only use one of the links and keep the other as a backup.

    Read this for a description of what each do:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/link_aggregation_about_c.html

    Static is probably what you're looking to use if you want to load balance the way you described.

    Please also check the datasheet for your firewall to ensure that it can operate at the speeds you want it to. The "Firewall" figure only shows how many bits the firewall can shovel around to all ports (basically how many bits it can move in total across everyhing it has.) Most data streems will be in one interface and out another. Looking at the IMIX numbers (if there are any) or the IPS/UTM numbers for older devices give a better picture of single stream data throughput.

    Also keep in mind that bonding two interfaces will not supply double the bandwidth. Under best case circumstances, you'll be looking at a 60ish percent increase. if one goes down for some reason, you'll also loose that, so there's not a lot of fault tolerance.

    Finally, some of our firewalls have interchangable interface bays.
    Some have SPF+ interfaces built in. If your device supports it, a 10G card and tranceiver may be a better option for you.

    Hi @James_Carson

    I've looked at the docs before and think dynamic mode is best for us (it uses LACP to load balance the flow between links). The problem now is whether Watchguard has a backup / fault tolerance solution for link aggregation or not? For example if our main switch broke down, can the Firebox (M370) use the 2nd link aggregate connected to our 2nd switch automatically or do we have to redo all the configuration?

    Thank you

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    If one link goes down -or- LAG negotiation fails, the firebox will default back to active/backup mode.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.