asked on

SonicWALL Load Balance Throughput Question

I have a SonicWALL TZ270 running EnhancedOS 5.9.

I have two ISP connections:
1) Dedicated Charter business fiber: 10 Mbps down / 10 Mbps up. (main line)
2) Charter Coax Cable Modem: 100 Mbps down / 5 Mbps Up. (failover line)

Right now, I am running in Basic Active/Passive Failover mode with no problems. I want to change to either Spillover-Based or Percentage-Based, but I am not sure how the SonicWALL determines throughput.

Here's an excerpt from the SonicWALL 5.0 Admin Guide:

- Spillover-Based: When this settings is selected, the user can specify when the
SonicWALL security appliance starts sending traffic through the Secondary WAN
interface. This method allows you to control when and if the Secondary interface is
used. This method is used if you do not want outbound traffic sent across the
Secondary WAN unless the Primary WAN is overloaded.
Specify the maximum allowed bandwidth on the primary WAN interface in the Send
traffic to Secondary WAN interface when bandwidth exceeds _ Kbps field. The
SonicWALL security appliance has a non-Management Interface exposed hold timer
set to 20 seconds – if the sustained outbound traffic across the Primary WAN interface
exceeds the administrator defined bps, then the SonicWALL security appliance spills
outbound traffic to the Secondary WAN interface (on a per-destination basis). Please
note this feature will be overridden by specific static route entries.

– Percentage-Based: When this setting is selected, you can specify the percentages of
traffic sent through the Primary WAN and Secondary WAN interfaces. This method
allows you to actively utilize both Primary and Secondary WAN interfaces. Only one
entry box is required (percentage for Primary WAN) The management interface
automatically populates the non-user-editable entry box with the remaining percentage
assigned to the Secondary WAN interface. Please note this feature will be overridden
by specific static route entries.
• Use Source and Destination IP Address Binding: When you are using
percentage-based load balancing, this checkbox enables you to maintain a
consistent mapping of traffic flows with a single outbound WAN interface,
regardless of the percentage of traffic through that interface. Therefore, the
outbound IP address of the connection remains consistent. However the
percentage of traffic in each WAN interface may not match the percentage you
specify in the Primary WAN Percentage field.
This method uses only the source IP address and the destination IP address to
determine when to bind a connection to a single interface and ignores all other
information, such as source and destination TCP port numbers.

Do these methods monitor the Kbps of the download traffic or the upload traffic, or the sum of both?

I understand that the SonicWALL can only direct outbound traffic to the second interface, but it does seem to have knowledge of the inbound traffic load. Also, with the percentage-based method, how could it know the percentage of my two ISP connections when there are no fields to indicated what speeds I have available for each line? This makes me think that the uses the ratio fields to determine percentage.

Knowing that I have two ISP lines that are radically different in connection type and speeds, and that our fiber line is our preferred line, which Load Balance method do you recommend to get the most out of our two lines?

Blue Street Tech

Hi jekautz,

It's more of a strategic question to determine in the event how do you want things to play out.

If you want to actually utilize the Cable connection I'd use Round Robin. In a lesser more demoted way you can use Spillover. Ratios work well too especially when there is disparity in speed between the two circuits. Otherwise Active/Passive is great for two connections.
The admin guide says it all but to put it in different words:

1. Basic Active/Passive Failover

The WAN interfaces use "rank" to determine the order of preemption when the Preempt and failback to preferred interfaces when possible checkbox has been enabled. Only a higher-ranked interface can preempt an Active WAN interface.

Final Back-Up - The Final Back-Up interface is used IF and ONLY IF there are no other interfaces Available in the group. It is for FAILOVER only and always gets preempted by other members. Only one interface can be selected as a last-resort interface, but it is not required for any LB Group to have a Final Back-Up. The rule of preemption (enable/disable) does not apply to a Final Back-Up interface; preemption enable/disable only applies to Primary and Alternates. A Final Back-Up interface is never used for LB, so it does not take a percentage in Ratio, never gets selected in RR, and never gets Spillover traffic.

2. Round Robin

This option now allows the user to re-order the WAN interfaces for Round Robin selection. The order is as follows: Primary WAN, Alternate WAN #1, Alternate WAN #2, and Alternate WAN #3; the Round Robin will then repeat back to the Primary WAN and continue the order. So in your case traffic flow will flip back and forth between Fiber and Cable. Literally, if you refresh a web page the first time will be on the Fiber and on the next refresh will be on the Cable side.

3. Spillover

You specify the bandwidth threshold that applies to the Fiber. Once the threshold is exceeded, say 9 Mbps, new traffic flows are allocated to the Cable in a Round Robin manner. Once the Fiber bandwidth goes below the configured threshold, Round Robin stops, and outbound new flows will again be sent out only through the Fiber.

NOTE: that existing flows will remain associated with the Alternates (since they are already cached) until they timeout normally.

4. Ratio

There are now four fields so that percentages can be set for each WAN in the LB group. To avoid problems associated with configuration errors, please ensure that the percentage correctly corresponds to the WAN interface it indicates.

To set the individual percentages of the member interfaces, an input box beside the member list is provided for the percentage value. The total of the percentage settings should be 100.

Use Source and Destination IP Address Binding: When you are using percentage-based load balancing, this checkbox enables you to maintain a consistent mapping of traffic flows with a single outbound WAN interface, regardless of the percentage of traffic through that interface.

NOTE: When one of the WAN interface goes down the new connections will flow through the available WAN interfaces.

What happens then when a WAN interface goes down or not responsive?

In the first 3 options listed (Basic Fail-over, Round Robin, Spill-over), the behavior is quite predictable: if a link is not responsive or an interface physically goes down, the traffic will fail over to the other WAN interfaces. If that link then comes back, it will fail back (take over traffic to the WAN again) as planned by you.

When you configure the Ratio Load Balancing method, the firewall needs to assure availability by keeping consistency with the ratio configured per interface. The behavior of the firewall during failures of participating WAN interfaces is not obvious, and is explained below.

What happens then when a WAN link is down and its interface is belonging to a LB Group configured in Ratio?

The firewall will load balance the traffic by keeping the ratio constant between the link/interfaces up and available. For example, if Ratio LB between 3 WAN interfaces is configured with the following LB ratios

X1 (50%)
X2 (40%)
X3 (10%)

If X1 link becomes unavailable, the firewall will load all traffic between the remaining responsive interface (i.e. X2 and X3), keeping the ratio constant between them:

X1 (down)
X2 (80%)
X3 (20%)

Notice that the ratio between X2 and X3 (4:1) is kept constant during the time X1 link is not available. The original Ratio Load Balancing for X2 and X3 was first configured as 40% and 10%, and thus the new calculation, after X1 is down, is proportional to that.

What happens then if a WAN link/interface comes back and operational after being down for a while, in a LB Group configured in Ratio?

In this case, the traffic will be load balanced according to the ratio configured by you, balancing the traffic between all the interfaces configured in the ratio.
In my example, if X1 link comes back operational and the LB Group is configured in the aforementioned ratio, the firewall will load balance again based on the ratio:

X1 (50%)
X2 (40%)
X3 (10%)

To prevent overload immediately X2 too much, the firewall will keep consistency by loading the traffic on X1 according to an additional calculation - "current ratio" - which is based on a short term sample which is NOT configurable by you. The "current ratio" will work and act like a valve to control the "average" ratio (i.e. the one planned and configured by you) during the few seconds after an interface comes up and until the "average" ratio equalizes to the Load Balancing ratio configured by the customer (e.g. 50%, 40%, 10%).

You can prevent having an interface (e.g. X2) loaded too much (e.g 80%) by cautiously planning the Ratio. For example planning

X1 (40%)
X2 (40%)
X3 (20%)

in case of failure of the X2 link, the ratio in disaster recovery will be:

X1 (66,7%)
X2 (down)
X3 (33,3%)

In this case you would have achieved:

exploiting X2 as long as the X2 link is up;

limiting the traffic through X3;

a more fair usage of the remaining resources (X1 and X3 links) in case a fast speed link is not available anymore.

Of course the proper ratio to be configured for a certain configuration is matter of opinion and it is your duty to foresee and plan how to better use links available.

Let me know if you have any other questions!

jekautz

ASKER

Thank you for that very detailed explanation into Failover & LB. It gave me some new insights into the way these mechanisms work. Like how Spillover uses Round Robin for overflow. I also hadn't considered how Ratio would work in an interface-down scenario. However, my original questions were specific to how the SonicWALL measures throughput and percentages.

Let's talk about Spillover in this example:
My primary WAN is 10 Mbps down and 10 Mbps up. Let's say that my download traffic is 90% of my total traffic. So if I wanted Spillover to occur when my download traffic hits 70%, I assume I would set the Kbps field to 7,000. That is also assuming that download traffic triggers Spillover. What if the SonicWALL measured throughput by the sum of upload & download? Then 7,000 might be too high of a number.

The Ratio method:
How is percentage measured? Since the SonicWALL doesn't know how much bandwidth my ISP is willing to give to me, it must measure something else. Does it split traffic percentages by the number of connections, or the measured throughput? If Ratio measures percentages based on connection, then if I split my two connection 80/20, does that mean it Round Robins 8:1 connections? If Ratio measures percentages based on throughput and I split my connections 50/50, then my primary line would likely be full-up while my second line (with 100 Mbps download) would likely be idling.

ASKER CERTIFIED SOLUTION

Blue Street Tech

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

jekautz

ASKER

You explained this very well and more. Thank you!

Answer to your side note:
Simply put, it is the result of the consultant (me) not being consulted prior to purchase. We work with what we have.

Blue Street Tech

You're welcome and it was my pleasure!

I'm glad I could help! Thanks for the points.