Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
545
Views
0
Helpful
9
Replies

Througput towards 5555x from 68k for Firewall contexts

Go to solution
Nick Cutting
Level 1
Level 1

‎02-03-2015 03:12 AM - edited ‎03-07-2019 10:29 PM

If you were connecting a 5555x to a 6500, would you use a single port channel with 8 uplinks, or two 4 port etherchannels, with one representing the "out" and one representing the "in"

 

I intend to use ten or more contexts, and in the past have done this with a FWSM, which had a 6 gig etherchannel on the chassis backplane.  I imagine that using one etherchannel would be similar to the FWSM approach.

 

Would there be any benefits in using 2 ether channels with a concept of in and out? If so why.  Any design insight at the physical layer would be appreciated.

 

 

Or further to this - would you use 6 ports and keep 1 or 2 ports dedicated for the failover and state interfaces, rather than run these interfaces as sub-interfaces that traverse the switching infrastructure. - Update - have to use 6 links, not 8:

 

If you use an EtherChannel interface for a failover or state link, then to prevent out-of-order packets, only one interface in the EtherChannel is used. If that interface fails, then the next interface in the EtherChannel is used. You cannot alter the EtherChannel configuration while it is in use as a failover link. To alter the configuration, you need to either shut down the EtherChannel while you make changes, or temporarily disable failover; either action prevents failover from occurring for the duration.

Although you can configure failover and failover state links on a port channel link, this port channel cannot be shared with other firewall traffic.

 

I have attached a small diagram to explain the physical / logical differences. (6 interfaces total - as this would be dedicated failover link scenario)

Labels:
Preview file
67 KB
Preview file
40 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-03-2015 04:40 AM

Hi Nick

The Cisco recommendation was always to use an even number of ports in the etherchannel because this worked better with their load balancing algorithm but I'm not sure how relevant this is nowadays.

So leaving that aside personally I would use just one etherchannel between the firewall and the switch.

The issues with using two that I see are firstly unless your traffic patterns are 50/50 in terms of traffic going to and coming from the firewall you are not going to utilise the links evenly. For example an FTP request is small but the resulting download could be very large and a fair number of applications work like this.

Which would mean one etherchannel could be very heavily utilised, if not oversubscribed, while the other one could be just ticking along.

Secondly if you use two etherchannels a single port failure could have a much more pronounced effect on throughput especially if the etherchannel is the one being utilised more because of traffic direction.

You don't gain any extra redundancy from having two separate etherchannels so I personally can't see any advantages to it but that doesn't mean there aren't any so happy to discuss if you feel there are.

Obviously whichever you use spread the ports across modules for maximum redundancy.

I should say though that I have never done this where I needed that much throughput to a firewall other than using an FWSM which as you say does not have these concerns.

Edit - I assumed when you referred to in and out you were referring to traffic direction and it was not related to contexts. if I have misunderstood please clarify.

Jon

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-03-2015 04:40 AM

Hi Nick

The Cisco recommendation was always to use an even number of ports in the etherchannel because this worked better with their load balancing algorithm but I'm not sure how relevant this is nowadays.

So leaving that aside personally I would use just one etherchannel between the firewall and the switch.

The issues with using two that I see are firstly unless your traffic patterns are 50/50 in terms of traffic going to and coming from the firewall you are not going to utilise the links evenly. For example an FTP request is small but the resulting download could be very large and a fair number of applications work like this.

Which would mean one etherchannel could be very heavily utilised, if not oversubscribed, while the other one could be just ticking along.

Secondly if you use two etherchannels a single port failure could have a much more pronounced effect on throughput especially if the etherchannel is the one being utilised more because of traffic direction.

You don't gain any extra redundancy from having two separate etherchannels so I personally can't see any advantages to it but that doesn't mean there aren't any so happy to discuss if you feel there are.

Obviously whichever you use spread the ports across modules for maximum redundancy.

I should say though that I have never done this where I needed that much throughput to a firewall other than using an FWSM which as you say does not have these concerns.

Edit - I assumed when you referred to in and out you were referring to traffic direction and it was not related to contexts. if I have misunderstood please clarify.

Jon

0 Helpful

Go to solution
Nick Cutting
Level 1
Level 1
In response to Jon Marshall

‎02-03-2015 05:06 AM

Thank you Jon, as always an excellent answer.

 

You are correct in assuming traffic direction.  Such a shame that I cannot use the full 8 ports, since Cisco stopped allowing the use of the mgt port for failover/state.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Nick Cutting

‎02-03-2015 05:52 AM

Nick

Just as a quick follow up to this.

I understand your asa-layer2.jpg fine but your 6800patching.jpg seems to be suggesting you were proposing an etherchannel per context unless I'm misreading it.

I know you said my assumption was correct but didn't want to mislead you.

Edit - are the 6800s using VSS and are you running your firewalls in active/active mode ?

Jon

0 Helpful

Go to solution
Nick Cutting
Level 1
Level 1
In response to Jon Marshall

‎02-03-2015 07:00 AM

They (the 6800's) are sitting on my desk, they actually arrived about 20 minutes ago.  

 

I am yet to decide on VSS v.s HSRP (i.e no VSS - the way I used to do on 65k's) - as I keep reading various subjects on why VSS is bad in a SP environment.  I like the idea of VSS, because of STP, and the fact it makes routing so much easier.  no layer 2 crossconnects.  However I keep reading scary things on the cisco NSP lists about VSS.  

 

Also, In the future I may run MPLS, so when adding that complexity I lean towards VSS. I would love to hear your thoughts on this.

 

The firewalls will be running in active / standby.

In regards to the diagram - There would not be an etherchannel per context, in the diagram I mean Po2.xx would always represent the logical path back to the core, and that Po1.xx would be "inside" vlans behind the contexts.  

 

This would be the same among multiple contexts, however I am now going to go with one etherchannel with 6 ports, so Po1.x on all interfaces, with no concept of inside or outside, except logically.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Nick Cutting

‎02-03-2015 07:17 AM

Nick

Can't really comment too much on VSS in an SP environment although I know Joseph may want to add some thoughts about VSS in general.

It definitely appeals because as you say of the STP issue with using two separate switches.

What sort of things have you been hearing about ?

In terms of the firewalls is there a specific reason not to run them active/active ie. each firewall is active for a number of contexts and standby for others.

Again this would give you more throughput as otherwise you are putting all traffic through the single firewall and down the same etherchannel but you may have very good reasons not to use it.

Just curious really.

Edit - sorry I seem to be in edit mode today :-).  Using active/standby or active/active again really comes down to throughput. I have to admit I only ran the FWSMs in active/standby even though we had multiple contexts but then we never had throughput issues.

Jon

0 Helpful

Go to solution
Nick Cutting
Level 1
Level 1
In response to Jon Marshall

‎02-03-2015 08:19 AM

Thank you for reminding me about active-active.

 

A few years back I ran Active/Standby on production gear, and Active/Active in pre-production.  I think there was 30 or so contexts - and it worked fine.  

 

As I do need the throughput because the backup software is on a "shared services" context, that will need to talk to multiple contexts, I think I will run active / active.  Very much in the design phase at the moment.

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Jon Marshall

‎02-03-2015 06:14 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

"The Cisco recommendation was always to use an even number of ports in the etherchannel because this worked better with their load balancing algorithm but I'm not sure how relevant this is nowadays."

I believe it works best when it's a power of 2 number of links, even with latest.  Although something like a sup2T, with its larger hash space, hashes more evenly across whatever number of links you use.

0 Helpful

Go to solution
Nick Cutting
Level 1
Level 1
In response to Joseph W. Doherty

‎02-03-2015 07:05 AM

Yes, it is a sup 2t.  However using 8 links (2 to the power of 3) is not an option without buying an extra module with extra ports, and they are super expensive ! Because of the requirements for the failover link.

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Nick Cutting

‎02-03-2015 08:29 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Well, again, the sup2t uses a larger hash space, so load balancing across its links, is better than on a sup720.

Yup, 8 links, if fiber, gets to be expensive.  When you get to the point of needing 8, you're might be better served by using the next jump in bandwidth technology.  For example, rather than 8 gig links, use one 10g link.  The savings in transceiver cost goes far to reduce the overall cost.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card