using aggr interface instead of trunk

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

using aggr interface instead of trunk

mabi
Hello,

I am currently running OpenBSD 6.5 as firewall with two ix interfaces inside a trunk interface with LACP protocol. On top of that I have a few vlan interfaces so it's basically (ix -> trunk -> vlan).

Now I saw that OpenBSD has a new interface specifically for LACP which is called aggr. As I will soon be upgrading to OpenBSD 6.6 I was wondering if it is the right time to switch from trunk to the new aggr interface?

From what I understand the new aggr interface has mainly 2 advantages: it is multi-processor safe and it should be faster than the tun interface. Is this correct?

And last point because aggr is pretty new, is it already safe to use it for a production firewall?

Best regards,
Mabi



Reply | Threaded
Open this post in threaded view
|

Re: using aggr interface instead of trunk

Iain R. Learmonth-2
Hi,

On 13/05/2020 13:10, mabi wrote:

> I am currently running OpenBSD 6.5 as firewall with two ix interfaces inside a trunk interface with LACP protocol. On top of that I have a few vlan interfaces so it's basically (ix -> trunk -> vlan).
>
> Now I saw that OpenBSD has a new interface specifically for LACP which is called aggr. As I will soon be upgrading to OpenBSD 6.6 I was wondering if it is the right time to switch from trunk to the new aggr interface?

More details are at: https://marc.info/?l=openbsd-cvs&m=156229058006706&w=2

> From what I understand the new aggr interface has mainly 2 advantages: it is multi-processor safe and it should be faster than the tun interface. Is this correct?

Assuming you mean trunk, not tun, yes.

> And last point because aggr is pretty new, is it already safe to use it for a production firewall?

I don't see mention of any aggr fixes in the 6.7 changelog, so I guess it didn't have any disasters in it. Others are using it on production systems.

Thanks,
Iain.

--
https://hambsd.org/

Reply | Threaded
Open this post in threaded view
|

Re: using aggr interface instead of trunk

mabi
Hi Iain,

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, May 13, 2020 7:55 PM, Iain R. Learmonth <[hidden email]> wrote:

> More details are at:https://marc.info/?l=openbsd-cvs&m=156229058006706&w=2

I actually already read that one after seeing the announcement on undeadly.org iirc ;)

> Assuming you mean trunk, not tun, yes.

Right, thanks for spotting that, I meant trunk of course.

> I don't see mention of any aggr fixes in the 6.7 changelog, so I guess it didn't have any disasters in it. Others are using it on production systems.

Nice to hear that, I will give it a shot as soon as I upgrade to 6.6 my HA CARP cluster of two OpenBSD firewalls. I might first try using it on one of the two firewalls so that I can easily switch to the other firewall in any case of issue.

Reply | Threaded
Open this post in threaded view
|

Re: using aggr interface instead of trunk

David Gwynne-5


> On 14 May 2020, at 4:22 pm, mabi <[hidden email]> wrote:
>
> Hi Iain,
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Wednesday, May 13, 2020 7:55 PM, Iain R. Learmonth <[hidden email]> wrote:
>
>> More details are at:https://marc.info/?l=openbsd-cvs&m=156229058006706&w=2
>
> I actually already read that one after seeing the announcement on undeadly.org iirc ;)
>
>> Assuming you mean trunk, not tun, yes.
>
> Right, thanks for spotting that, I meant trunk of course.
>
>> I don't see mention of any aggr fixes in the 6.7 changelog, so I guess it didn't have any disasters in it. Others are using it on production systems.
>
> Nice to hear that, I will give it a shot as soon as I upgrade to 6.6 my HA CARP cluster of two OpenBSD firewalls. I might first try using it on one of the two firewalls so that I can easily switch to the other firewall in any case of issue.

I would wait for 6.7 before using aggr(4) in production. Considering 6.7 is out now, there's no reason not to use it instead of 6.6.

dlg