2 GBit provider connection on 10 GBit GBic on Cisco with a Netgate Firewall with 2x 1 GBit network cards
-
Hey guys
Sorry for the long title. I have a Cisco layer 3 switch here with a 10 GBit GBic Module with a 2 GBit network connection from our local provider. Unfortunately the firewall has only 2x 1 GBit network cards.
It is possible to have a LAGG with LACP, Loadbalance or Roundrobin to use both 1 GBit network cards to the fully utilize the 2 GBit connection?
Maybe one of you alrady made the experience or has an idea - this would be awesome :)
Thanks and greetz
-
Not effectively. LACP only load balances based on the source and destination MACs, which will always be the upstream gateway going to the LAGG interface on the firewall. So you can have failover, but not bonded bandwidth. You'll need a 10G interface on the firewall (or, I suppose a 2.5G interface and compatible switch...)
-
What's about LACP with src-ip? I think the switch should sent the packages load-balances trough both interfaces.
Unfortunately at the moment it's only theoretic. Maybe I can test it in a couple of days. But it seems, that I have the following options at the Cisco switch:
dst-ip - Dst IP Addr
dst-mac - Dst Mac Addr
src-dst-ip - Src XOR Dst IP Addr
src-dst-mac - Src XOR Dst Mac Addr
src-ip - Src IP Addr
src-mac - Src Mac AddrThe destination ip address is anytime the same - but the the source ip address change from host to host.
Which load-balance mod should be the best for a two lan port based lacp on the on side and two single 1 gbit connections on the other side?
-
There isn't a way to change the lagg hash on pfSense, so it may help downstream but not upstream. That's entirely dependent upon your upstream switch/equipment. It still means that no single flow would be able to go over 1Gbit/s.
-
That's for sure - but I don't want to have a tcp flow with a speed over 1 GBit. I only want to use both WAN sides in general. I have a lot of computers with some web sessions, tcp sessions and soft phones.
The firewall is configured to sent packages over both WAN sides.
My idea is to handle both seperate WAN connections with a LACP for both LAN ports:
LAN1 -> LAGG_1 -> WAN 1/2
LAN2 -> LAGG_1 -> WAN 1/2Without an LACP and without a 10 GBit card I have only 2 independent 1 GBit LAN cards and when the only 1 GBit LAN link is full I can't use both 1 GBit WAN links.
I hope you can understand what I want to say^
-
How does this connection come into your location? Are you saying that is on 10ge interface and you want to connect that to a switch, and then have 2 1ge connections from your firewall?
-
Sorry for beeing unclear - at the beginning, I had an another initial situation.
I have 2x 1 GBit copper wan cables going inside to the firewall.
The other card with two ports in the firewall (I have 4x 1 GBit ports) is connected with a Cisco Layer 3 Switch/Router.
At the moment the Firewall is connected with a Carp interface to the Cisco switch and I want to change this to an LACP to get the, hopefully, possibility to utilize the two 1 GBit WAN ports.
Now (Failover):
CARP LAN with 2 ports -> pfSense -> 2x 1 GBit WAN links -> provider routerLater (Failover and 2 GBit on LAN side):
LAG with 2 ports -> pfSense -> 2x 1 GBit WAN links -> provider routerEdit
Got it... shitty VMware Workstation. Some trouble with duplicate Mac addresses.The LACP is up and running but I can't verify my configured load-balance mode (src-ip). When I have one download I have 12 MB/s (LAN 100 MBit and WAN 1 GBit) and with two computers I have 2x 6 MB/s.
Edit2
Ok guys - in the end, I realized that one of the network cards are broken. After buying a new card - everything is working like a charm
