NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Maximum Throughput? - 1 GBit/s required



My apologies for the poor choice of words.  "Improper" and
"load-balancing" were not accurate.  I should have used 
"unconventional" and "load-sharing."  I'll explain why.

If all interfaces receive multicast traffic, multiple nodes will not
provide an increase over a single node's interface capacity when
throughput is a factor.  However, if intense computation is the factor
contributing to poor firewall network performance, multiple nodes should
increase overall throughput as the computation is distributed across nodes
in the cluster.  But- as you begin to distribute load across multiple
nodes (even 16), you will not reach beyond a single interfaces' capacity
as all 16 nodes will receive the same datagram on their interface -- one
node will process it, the other 15 will discard it.  This will not enable
the cluster to surpass the capacity of a single interface.

The unconventional method is that the cluster is incapable of allowing
external devices to correctly arp for the multicast MAC address.  Since a
unicast address is assigned a multicast MAC address, conventional network
components will become confused when attempting to deliver the datagram to
the unicast IP/multicast mac address.  That is why that in a switched
environment, it is necessary to specifically define the multicast mac on
all interfaces to which a datagram is to traverse, or utilize a
method that will automagically complete that task.  This will not scale
well when a true HA network configuration is used with multiple switching 
devices.

Using the traditional multicast group (multicast IP and mac) should enable
the cluster to inform participants of drops and rejoins of specific nodes
in the cluster.  This is not the case in the textbook configuration of
FullCluster: the multicast MAC must be statically defined on all
participants (ports and trunks on the switch, interfaces on the
routers).  From a layer-2 perspective, this increases the overall load
of a single transmission as the datagram is duplicated on all recipients
of that particluar multicast MAC address assignment.

The HA software can be configured such that both devices are active and
capable of responding for the other device via the standby IP (much like
load sharing with HSRP on a cisco router).  All additional load aside,
this could enable two full interfaces worth of bandwidth as each device
only receives traffic destined for its interface, thus increasing total
network throughput.

Once again, my apologies for the poor word selection.

Peter Lukas

On Tue, 14 Nov 2000 [email protected] wrote:

> 
> 
> Peter,
> 
> Your statements about StoneBeat FullCluster are misleading or erroneous.
> 
> > Because the FullCluster method utilizes (rather improperly)
> > a multicast address to address multiple firewall devices, you
> > will never exceed the maximum throughput available on a given
> > interface.
> 
> We do not "improperly" use multicast addresses. Our use of multicast MAC
> addresses follows Ethernet multicast standards.
> 
> > For example, a 3-node cluster with 100Mbps Full-Duplex interfaces will
> > max out at 100Mbps (theoretical maximum).  Since traffic must be
> rebroadcast
> > to all interfaces in the cluster via the multicast address, all
> interfaces
> 
> Multicast traffic is not "rebroadcast" to interfaces. It is the
> transmission
> of a single datagram to multiple interfaces at the same time. And any
> interface
> running at 100 Mbps full duplex will theoretically handle 200 Mbps, not 100
> Mbps.
> 
> The traffic throughput through a firewall is not bottlenecked at the
> interface
> anyway, but by the firewall software, which performance is determined by
> the
> use of NAT, VPNs, number of rules, and other factors.
> 
> > It would be possible to exceed the interface's capacity by utilizing
> > multiple interfaces (like an etherchannel configuration).  The stonebeat
> > HA software can be configured in a load-balancing configuration which may
> 
> The StoneBeat HA software does not perform load balancing. It is a basic
> high
> availability or load sharing solution. StoneBeat FullCluster performs load
> balancing,
> and does so up to 16 nodes per cluster. FullCluster also supports the use
> of
> multiple cluster IP addresses, which would increase its potential
> throughput
> of the limitations you suggest. That's assuming someone wants to lose the
> transparency of the network device, and deal with the problems of a
> multiple
> IP environment and the complexity it introduces.
> 
> ----------------------------------------------------------------
> Mark Boltz                                       Stonesoft, Inc.
> Network Security Specialist           115 Perimeter Center Place
> [email protected]              South Terraces, Suite 1000
> Tel:Atlanta, GA 30346
> Cel:USA
> Fax:http://www.stonesoft.com
> 
> 
> New support numbers!
> Toll free:> Other areas:> 



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.