Multiport link aggregation, or link bonding, allows you to aggregate multiple physical network links into a single logical link.You can use link aggregation to achieve multi-gigabit capacity to services and servers.
Use multiport link aggregation to:
- Load balance multiple NICs;
- Combine multiple network connections;
- Incorporate redundancy in case one of the links fails;
- Increase bandwidth beyond what is available through one port.
Link Aggregation Requirements
- Physical links must be at least 1 Gbps operating in full duplex mode.
- If you intend to use Dynamic Link Aggregation Control Protocol (IEEE 802.3ad), the corresponding switch must support it.
- The configured speed of all ports of a bonded interface should be same or set to Automatic. You can configure this setting for each port by editing the port on the NETWORKS > Ports page.
Configuring Link Aggregation
To create a link bond, go to the NETWORKS > Ports page. Enter a bond name, assign the bond mode, and then select the ports. It is recommended that you select an even number of ports to bond.
Three bond modes are supported:
The round robin mode transmits packets in sequential order from the first available network port through the last. This mode provides load balancing and fault tolerance.
Outgoing traffic is spread across all ports in the bond. While round-robin distribution is the only mode that allows a single TCP/IP stream to use more than one network port worth of throughput, this mode also introduces the potential for out-of-order packets and re-transmitted segments.
Example: Consider a bond configured with 4 ports [WAN1, WAN2, WAN3 and WAN4], and mode as Round Robin. In this case all packets for outgoing traffic during a connection will be routed through all the ports configured in the bond. If there are four TCP segments to be sent via the example bond, then each port will carry one segment.
Only one port in the bond is active; a different port becomes active if, and only if, the active port fails. This mode provides fault tolerance only. All the packets are routed through the active port.
Example: Consider a bond configured with 2 ports [WAN1 and WAN2], and mode as Active-Backup. All outgoing traffic will be routed through the active port WAN1 on the bond. The backup port WAN2 becomes active if, and only if, the active port fails.
Dynamic Link Aggregation Control Protocol (LACP) / IEEE 802.3ad Dynamic Link Aggregation
This mode creates aggregation groups that share the same speed and duplex settings, and utilizes all ports in the group according to the IEEE 802.3ad specification. This does not increase the bandwidth for a single conversation; it achieves high utilization only when carrying multiple simultaneous conversations.
Verify that IEEE 802.3ad/LACP is enabled on the switch.
Using a Bonded Interface
Once you create a bonded interface, it appears in the user interface and can be used in the same way as any physical interface. For example, you will find it in the Interfaces list when you add a service on the BASIC > Services page.
Example - Creating Two Bonded Links
To create two bonded links, one for the service, one for the servers:
- On the NETWORKS > Ports page:
- Create WANbond0 with WAN1, WAN2 and WAN3 interfaces.
- Create LANbond1 with LAN1, LAN2 and LAN3 interfaces.
- If Dynamic Link Aggregation is selected as the mode, verify that IEEE 802.3ad is enabled on the switches.
- On the NETWORKS > Interfaces page:
- Add a custom virtual interface that associates the network address of the services subnet with WANbond0.
- Add a custom virtual interface that associates the network address of the real server subnet with LANbond1.
- Create a service on the WANbond0 interface on the BASIC > Services page.
If you are clustering two Barracuda Web Application Firewall systems, make sure that each system has similar cabling. If failover occurs, the link bonds are created on the newly-active system using the corresponding ports. For example, if port WAN2 and port WAN3 form a bond on the active system, on failover, the newly-active system will attempt to use these same ports for the bond.
Network Interface Configuration
Network Interface Card (NIC) is a hardware unit designed to allow computers to communicate over a computer network. This NIC card, when installed on the Barracuda Web Application Firewall, negotiates communication with a switch/router with the right combination of duplexity and speed so they can communicate with one another in both directions.
There are two ways to set the NIC configurations, either manual or automatic. In manual mode, if the speed and duplexity of the card mismatches that of the switch/router, then the negotiations may fail. If Auto-Negotiation Status is set to On the NIC card will automatically match its settings to that of the switch/router to start communication. This is the recommended setting. Click Edit in the Action column, next to the desired interface, to set Auto-Negotiation Status to On.
NIC is configured with predefined values by default for all the three interface ports LAN, WAN and MGMT. To edit the NIC configuration, in the Network Interface section, click Edit next to the interface name. The Edit NIC Advanced Configuration window appears, modify the settings if required and click Save.
Creating bonds using WAN Port
From the release 9.2 onwards, the Barracuda Web Application Firewall supports configuring bonds using WAN ports. This mode of configuration allows you to create and delete bonds with WAN on standalone units only. For clustered units, it is possible to edit bonds that are in cluster. Refer to the Using a Bonded Interface section to know more about how to create bonded links.
- If you are configuring “High Availabity” when WAN is part of the bond, ensure that you select the MGMT checkbox for Transmit Heartbeat On parameter on the primary unit.
- When the WAF units are in cluster and are configured with a bond, it is always recommended that you disjoin the units when you want to create a bond with WAN.
- If the box is accessed using the system IP, and if WAN is added in the bond, the connectivity is lost until the Interface IP gets assigned to the Bond interface (from WAN interface). Therefore, It is recommended to have access to the box through MGMT to retain the connectivity.
- If you want to add WAN interface to a bond then ensure that it is done as a first config. This config is applicable for those WAFs which have more than 3 interfaces.
- When WAN port is added to the bond, all the system configs (system_ip, sys-vlan, system-gateway) are moved from WAN to the Bond Interface. The same is retained back when the bond is deleted to WAN interface.