[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Maximum Throughput? - 1 GBit/s required
My apologies for the poor choice of words. "Improper" and "load-balancing" were not accurate. I should have used "unconventional" and "load-sharing." I'll explain why. If all interfaces receive multicast traffic, multiple nodes will not provide an increase over a single node's interface capacity when throughput is a factor. However, if intense computation is the factor contributing to poor firewall network performance, multiple nodes should increase overall throughput as the computation is distributed across nodes in the cluster. But- as you begin to distribute load across multiple nodes (even 16), you will not reach beyond a single interfaces' capacity as all 16 nodes will receive the same datagram on their interface -- one node will process it, the other 15 will discard it. This will not enable the cluster to surpass the capacity of a single interface. The unconventional method is that the cluster is incapable of allowing external devices to correctly arp for the multicast MAC address. Since a unicast address is assigned a multicast MAC address, conventional network components will become confused when attempting to deliver the datagram to the unicast IP/multicast mac address. That is why that in a switched environment, it is necessary to specifically define the multicast mac on all interfaces to which a datagram is to traverse, or utilize a method that will automagically complete that task. This will not scale well when a true HA network configuration is used with multiple switching devices. Using the traditional multicast group (multicast IP and mac) should enable the cluster to inform participants of drops and rejoins of specific nodes in the cluster. This is not the case in the textbook configuration of FullCluster: the multicast MAC must be statically defined on all participants (ports and trunks on the switch, interfaces on the routers). From a layer-2 perspective, this increases the overall load of a single transmission as the datagram is duplicated on all recipients of that particluar multicast MAC address assignment. The HA software can be configured such that both devices are active and capable of responding for the other device via the standby IP (much like load sharing with HSRP on a cisco router). All additional load aside, this could enable two full interfaces worth of bandwidth as each device only receives traffic destined for its interface, thus increasing total network throughput. Once again, my apologies for the poor word selection. Peter Lukas On Tue, 14 Nov 2000 [email protected] wrote: > > > Peter, > > Your statements about StoneBeat FullCluster are misleading or erroneous. > > > Because the FullCluster method utilizes (rather improperly) > > a multicast address to address multiple firewall devices, you > > will never exceed the maximum throughput available on a given > > interface. > > We do not "improperly" use multicast addresses. Our use of multicast MAC > addresses follows Ethernet multicast standards. > > > For example, a 3-node cluster with 100Mbps Full-Duplex interfaces will > > max out at 100Mbps (theoretical maximum). Since traffic must be > rebroadcast > > to all interfaces in the cluster via the multicast address, all > interfaces > > Multicast traffic is not "rebroadcast" to interfaces. It is the > transmission > of a single datagram to multiple interfaces at the same time. And any > interface > running at 100 Mbps full duplex will theoretically handle 200 Mbps, not 100 > Mbps. > > The traffic throughput through a firewall is not bottlenecked at the > interface > anyway, but by the firewall software, which performance is determined by > the > use of NAT, VPNs, number of rules, and other factors. > > > It would be possible to exceed the interface's capacity by utilizing > > multiple interfaces (like an etherchannel configuration). The stonebeat > > HA software can be configured in a load-balancing configuration which may > > The StoneBeat HA software does not perform load balancing. It is a basic > high > availability or load sharing solution. StoneBeat FullCluster performs load > balancing, > and does so up to 16 nodes per cluster. FullCluster also supports the use > of > multiple cluster IP addresses, which would increase its potential > throughput > of the limitations you suggest. That's assuming someone wants to lose the > transparency of the network device, and deal with the problems of a > multiple > IP environment and the complexity it introduces. > > ---------------------------------------------------------------- > Mark Boltz Stonesoft, Inc. > Network Security Specialist 115 Perimeter Center Place > [email protected] South Terraces, Suite 1000 > Tel:Atlanta, GA 30346 > Cel:USA > Fax:http://www.stonesoft.com > > > New support numbers! > Toll free:> Other areas:> ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|