Netgate SG-2100 and VLAN ports questions
-
Hi, I have configured a pair of SG-2100 in HA.
I've used hardware switch configuration to obtain:- a management port, without external VLAN tag
- two other ports in load balance (hardware LAGG), carrying all remaining VLANS
All of them go to a core Cisco switch with STP. It works fine, except that...
Two questions:
- After rebooting each appliance for upgrading, the management interface was shut down by the switch with reason "bpduguard": a network loop; I had to connect to core switch to restart them. I guess it's because, during boot, all switch ports have no filtering, causing the loop; only after pfSense starts the ports are separated as per configuration. I configured the core switch to automatically re-enable failed ports, but it takes several minutes to do that each time. Is there a way to disable switch at start to avoid these issues?
- I've tried to configure each VLAN virtual interface to follow physical port status so that HA works at best; however, I've noticed there's no way to link several virtual interfaces to the same physical port. Even more: with hardware LAGG, if one interface is disconnected, some network connections become impossible, while others are unaffected; this could cause any kind of network malfunction. I'd like that if ANY of the LAGG physical interfaces are disconnected, ALL of VLAN interfaces are considered down, so that HA can kick in. Is there any way to do that?
Thanks.
-
I recap the questions:
- Any way to disable switching at boot, and wait for pfSense starting?
- Any way to link several virtual interfaces state to the same physical one, or to a couple of them? (maybe via a script?)
-
Neither of those is easy to solve.
The switch command is not enabled in the 2100 uboot version, it would require a uboot update, significant development work. Even if it were included the switch ports are still enabled for a very brief time between power up and uboot loading. bpduguard may still trigger in that time.
The switch ports only support load-balance LAGG and that requires both (or more) links to be UP at all times. There is no way to have the interfaces reference the LAGG status though. Or, as you found, have more than one interface reference the same port.
There is little point using a LAGG in that situation since it gives you neither redundancy nor increased bandwidth. In fact it just increases the chances of failure since either link failing would break it.
You can by-oass the GUI input error checking by edting the config directly to have all the VLANs referencing the same switch port. Though doing so will prevent you making changes to the interfaces in the GUI.
However that will not help with HA failover. The ifconfig output still shows the interfaces as UP since they are VLANs on the internal NIC. The node will never mark itself as down if the switch ports loose link. It will still failover if the node crashes completely though.Steve
-
@stephenw10 Thanks for you thorough answer.
In facts the VLAN interface<>LAGG relation is many-to-many: several VLAN interfaces should be linked with both LAGG ports in "AND" fashion. I was thinking to handle this with a small script. -
You may well be able to script something. Or modify one of the existing scripts. It would be unsupported though. You would have to take care at firmware upgrade to ensure the scripts were replaced etc.
Steve
