STP and network
-
What are you trying to accomplish exactly? What switches are you working with.. Are you trying to connect the server via a lagg / port channel to load share or handle a switch port or server interface failure?
-
Two SG200-50 switches - it's layer 2 switches.
Three goals:
- Keep network alive even if one out of two switches goes down (power cable, firmware upgrade, broken konfig)
- Keep servers alive even if a path to one of the switches (for instance due to bad physical connection or network card) goes down.
- As a bonus: Using ALB against two GBs port in each server, I get 2 Gbit/s instead of 1 and can load balance - specially usefull when running backups.
And yes, I'm using in-built Teaming under Windows (no switch dependency) and Bonding (ALB) under Linux. Load sharing LAG on each server.
I want to have only one single point of failure and that is the pfSense (I have a cold standby for that). Currently, If I loose SW1, I will loose the entire network (SW2 is now connected to it) and have to go out and physically replace it or bypass it. Have the same system for power and couldn't live without it: If one PSU, PDU or UPS fails, it is taken care of automatically on the second line with no intervention.
-
So you have 2 interface your pfsense that you are setting up in lagg to these switches? You would use LACP normally in such a setup.
https://doc.pfsense.org/index.php/LAGG_InterfacesAs to how you set that lagg/portchannel/etherchannel to your Server device that would be up to the OS and hardware on it.
But 200 series are pretty low end switches. You can not stack them. You can not create a VPC through them, etc. So what your trying to do your hardware is lacking.. Off the top of my head the lowest model that supports stacking would be the sg500 line in the cisco smb switch market..
You would then put your 2 switches in a stack and setup a lacp lagg from pfsense to the switch stack with ports going to different switches in the stack.
You could prob setup stp and then just connect into 2 interfaces on a bridge on pfsense as sort way to MacGyver the solution.. But to be honest if your server is so important that it needs to be up, then you should be using hardware that actually supports doing such stuff in an enterprise..
Normally switches that would be doing vlans would be interconnected.. Your first drawing shows no interconnection between the switches. So you wouldn't have the same vlans on these switches, etc.
If on your bottom drawing you connected another interface that is in a bridge to your bottom switch, leaving the interconnect between the switches.. You could prob got some sort of STP failover solution going.. Since STP running on your switches should shutdown any loops they find.. But yeah that is a real MacGyver solution to be sure.. Not something I would do..
I wold think if you have a 50 port switch go down you got a few more problems then just 1 server not able to get to the internet ;)
If your concerned with failover to the point you don't want a single point of failure then you should have stackable switches with multiple power supplies ;) And your pfsense should be in a CARP setup, etc.
-
"So you have 2 interface your pfsense that you are setting up in lagg to these switches? You would use LACP normally in such a setup."
True if I was to connect two links to the same switch, to form a trunk. Here it is a single link to each switch, so LACP/LAG is not an option with this setup. I'm using STP already, in every device.
The switches has very small amounts of traffic (maybe top of 200 Mbit when many backups are run), so if I was to upgrade it, it would only be to stack them - and is it worth it then. My issue with stacking or kind of automatic sync is that I don't completely trust it and that debugging it (who is causing the problem) becomes even more difficult. In this setup, I can kill the power to one switch causing problem and solve a single switch problem - while still have 100% uptime.
The risk isn't just that the switch goes down, it can also be bad TP-cable or cable is bent to far etc. on one single server-connection. I migth solve this using LACP to each server, but a lot extra administration.
BTW: If I had stackable switches, even with multiple powersupply, how would it solve my problem? I would still need a gbe-connection to more than one switch to avoid the risk of one going down.
I have one pfSense in standby-actually, but I wanted to see if I could get the basic up and running. I assume it wouldn't solve anything to have this 2nd pfSense running in CARP and be source to the 2nd switch? I assume that would only be to move the problem up one level?
-
"I would still need a gbe-connection to more than one switch to avoid the risk of one going down."
That is how you would normally do it.. With 1 port going to 1 switch in a STACK and another port to another switch in the STACK via a LACP lagg.
Sounds like to me your causing yourself grief over nothing… I have been in the biz for 30 years. Have never seen a cable just go bad.. While its connected.. Not like I have not run into bad cables.. But not like you connect a cable to a port and 2 years later the cable goes bad..
Port go out on a switch sure - just move the cable.. Then again in the enterprise, servers are always connected to a STACK... And yes have seen switches in a stack go bad.... But that is why you put them in a stack to begin with ;) So that if 1 goes bad your network doesn't really even notice..
-
"I would still need a gbe-connection to more than one switch to avoid the risk of one going down."
That is how you would normally do it.. With 1 port going to 1 switch in a STACK and another port to another switch in the STACK via a LACP lagg.
Ah, so what you are saying is that when you do stacking, you can define a LACP lagg for instance on two ports (on different switches) against a single server? That sounds like a possible solution for me, it would be more controllable and I assume the config is present on all switches in the stack in case of one goes down. I would have to find a switch that can define many LACP, the non-stack switch I have now only supports 5 trunks/LACP. Does most stack-switches support unlimited?
Updated: Or.. do you maybe thing it is enough only to have a LACP to these two switch/pfSense! That would be far simplier. Then I would only need two SG500-52 in LACP and can have lower-cost distribution switches down the lane? I assume it is not possbile to define a LACP on SG200 like I have now, since you can only define LACP on one switch unstacked.
Sounds like to me your causing yourself grief over nothing… I have been in the biz for 30 years. Have never seen a cable just go bad.. While its connected.. Not like I have not run into bad cables.. But not like you connect a cable to a port and 2 years later the cable goes bad..
True, not the most common case. It has happened to me because I had to mutch cable-bend during install of a another server. Or that I by accident removes the cable or disconnect the wrong cable in the switch (it it was connected two places, the server would still be up).
Port go out on a switch sure - just move the cable.. Then again in the enterprise, servers are always connected to a STACK… And yes have seen switches in a stack go bad.... But that is why you put them in a stack to begin with ;) So that if 1 goes bad your network doesn't really even notice..
Ok, somehow I have missed the concept of stacking. I assumed it wasn't needed at all. When you setup Teaming in Windows, the documentation says that you can team network connections with different speeds and that no switch configuration is needed (there is an option, choosen by default, that is called switch-independent). Would love to have a network that just worked like power-cables.. just connect it and it works ;p
When you are 1000 miles away, it's nothing easy about moving that cable ;) I'm running a small business where I wouldn't be able to afford everything and I have to go on holiday sometimes.
-
So you have igb1, igb2, and igb3 in a bridge? Why igb2 and igb3 on the other link? Why not just one? Does it work with just one?
You should be able to get that working with RSTP.
I have never tried (R)STP on pfSense because pfSense is not a switch.
Two stacked switches with an LACP member to each (and a TEAM NIC to each on the other side) is more along the lines of what you want.
You might need to take a good look at what STP is doing - who is the root bridge, what are all of the different ports settling on as far as states, etc.
-
SW1 is listed as root-bridge in the "working"-setup above (I have checked on SW2), but maybe it changes when the error occours. I have to really plan for what to look for and do it during nigth when not so many customers notice problems.
So you have igb1, igb2, and igb3 in a bridge? Why igb2 and igb3 on the other link? Why not just one? Does it work with just one?
As soon are there are more than one physical connection, the problems start. So even only with igb1 going to SW1 and igb2 going to SW2, it is problems.
The reason for having more than one is to have redundancy.
Well, if I add another switch, I will introduce another possible week link in series. Also, the switch needs to be rack-mountable, having dual powersupply (or connected to ATS-switch), added cabling… So it adds on a lot just for one extra redundant link. Based on a speed-test, I didn't notice any delay with regards to throughput or time (ms).
But I agree, I think that stacked switches really are my option. But is it possible to only go for stacked LACP against the pfSense (two connections) and then have the first drawing without setting up LACP to each server (we are talking many)? I suspect that could work as well?
-
What? You LACP to pfSense then use whatever "teaming" you want with one link to each switch for the backend. Or LACP, or whatever.
The reason for the stack is so you can have LACP member links on two switches.
You must have either stacking or Multi-Chassis Trunking to do that. MCT is usually pretty spendy.
You don't need to spend a lot of money. Two of these will do all the stacking and LACP you want:
https://www.ebay.com/itm/Brocade-ICX6430-24-24-Ports-Managed-Gigabit-Ethernet-Switch-4x-SFP-TAE/371925972476?hash=item569883f5fc:g:VvAAAOSw3ZRY-RtF
$180 for the pair. If you find ICX-6450s you will get 2 x 10G uplink/stacking ports instead of 1G and base layer 3. But the 6430s stack using two 1G trunk ports just fine.
Good switches are sexy
ICX6450-24 Router#sh stack T=1d12h37m15.0: alone: standalone, D: dynamic cfg, S: static ID Type Role Mac Address Pri State Comment 1 S ICX6450-24 active cc4e.247f.8cc0 128 local Ready 2 S ICX6450-24 standby cc4e.2406.a160 0 remote Ready standby active +–-+ +---+ 2/1| 2 |2/3--2/1| 1 |2/3 +---+ +---+ Standby u2 - protocols ready, can failover Current stack management MAC is cc4e.247f.8cc0 -
Thank you so much, seems like stacking is the way to go :)
-
When checking out LAG-features in pfSense, I see that only a single LAN-interfaces (OVPN3) are available in the LAG-sceen (under Parent device). Is this because I have these interfaces in bridge-mode?
I do need the fw to be in transparent mode since I have the same IP/network on WAN/LAN - any way to solve this?
-
What? You LACP to pfSense then use whatever "teaming" you want with one link to each switch for the backend. Or LACP, or whatever.
I am pretty sure he is sitting in a thinking trap of his own mind! He is owning switches that are not capable of
doing what he wants to realize, an redundant core of a network switch. There are some methods to do so, but
in all cases the switches must be supporting some things as well. Please have a look on the network graphics
to understand why he is talking about using LAGs in that case. There are more then one LAG type to go with.Building a switch core stack will be one thing and going by different redundancy protocols will be another on.
Please accept that the Cisco SG200 switches are great, but they are Layer2 only and does not coming with
redundancy protocols or will be sufficient sorted right with different supporting LAG methods as needed in
that case you wish to realize. Or in shorter words please get other switches.Well known Switch redundancy protocols:
Virtual Router Redundancy Protocol - VRRP
Virtual Switch Redundancy Protocol - VSRP
Hot Standby Router Protocol - HSRPAlternate protocols or workarounds:
Policy based Routing - PBR
TRILL from BrocadeFor the implementation of any or all of this protocols, you must perhaps pay license fees according to the circumstance
that this protocols are proprietary. And here might be also the angle point to implement it in any OpenSource software
due to this licenses, or in other words inserting this into the pfSense CE image (Community Edition). If there will be once
a day a paid version of pfSense this will be no problem or it will be less complicated to insert such a protocol or more of them.LAGs - static - dynamic and crossed:
Actually there are three LAG methods mostly used;- Dynamic LAG using the LACP
- Static LAG must be manually and on both ends configured totally identical
- Cross LAGs and this is used if there are two core switches and let us imagine two switch stacks with 5 switches each
and from each switch in that switch stack one wire or cable will be driven to one of the core switches acting as one LAG.
As shown in the picture "core stacking" this art and wise is here meant.
Switch stacks:
There are also some different versions out on the market to stack up switches acting as one unit and being better
able to manage with less hassle and also doing mass configurations, firmware updates and backups over a
configuration software such as Netgears MNS300 is. In the free version this software will be able to
manage up to 200 switches in one entire network.-
Stacking over SFP/RJ45 ports either with 1 GBit/s or 10 GBit/s this is called a poor mans stack and
it let one member failing and then the second will be the master. -
Stacking over stacking bays and with stacking modules will be more comprehensive and offers more
then the poor mans method, if one switch is failing, the second will be overtaking and the switch above
and under will be also taking over the half of the data plane throughput, that means if this switches are
acting with a 80 GBit/s througput, after failing of one switch the switch above and under are running now
with 40 GBit/s of the throughput. Shown in the picture "stackFailSafe" and "fullduplexstack". -
the last one is something between this both methods and supports not all given options and features
such as real stacking with bays and modules but more then the poor mans methods and it is able to use
over the whole building and across over buildings, it is in a spine - leaf manner. Netgear´s M4300 Series
is offering such switches with a fully Layer3 routing such as RIP, OSPF, VRRP, PIM, PBR and without any
license upgrade needed!
So in your case the Cisco SG500x variant for around ~900 € will be a good bet here.
-
Thank you for info, I'm probably going for stack-hardware. The cost isn't that big compared to the ones I have, but the benefits looks big.
I can get this for probably 30% lower price than Cisco, plus it has 4x10 Gbit SFP+ stacking ports compared to 2x1 Gbit from Cisco: D-Link SmartPro DGS-1510-52X
Cisco has a stronger name/brand, but I think their UI is a bit targeted against professionals and doesn't give that much info.But my question remains: How may I use LACP-team on the pfSense when I have transparent mode on (since I can't choose any of the LAN-ports).. I will try it later today in a spare pfSense, I have a theory that maybe it works if I remove the bridge, then activate the LACP-ports and after that join the ports into the bridge again. Or maybe it wouldn't work.. If anyone knows if this is possible, you would spare a lot of time if you could say so now…
-
Yeah, I was correct it seems :) Had to deactivate all LAN-interfaces and then I could create the LACP-team (was created as LAN) and then bridge WAN and LAN.
However, I was not able to ping anything on the LAN-interface. I have enable/assigned the LAN-interface and it shows up as connected. But nothing comes through. I was able to ping the gw from the console, but noting on the LAN.
I have a any-any on the LAN in fw rules.
-
"I have a any-any on the LAN in fw rules."
What about your bridge rules - thought you wanted this to be a transparent firewall?
-
"I have a any-any on the LAN in fw rules."
What about your bridge rules - thought you wanted this to be a transparent firewall?
Yes, I do. So you are indicating that I'm missing any fw rules on the virtual interface (like OPT3) I activated with the bridge and need to create an any-rule there as well? I thougth I had, but have to go back to data center ot be sure. Please let me know if that was what you ment or not.
I have had it working as a transparent firewall/bridge for a year or so, that part I know is possible, but maybe there are some details I'm overlooking now…
-
depends on how you setup the bridge..
https://doc.pfsense.org/index.php/Interface_Bridges
Do you have
net.link.bridge.pfil_member and net.link.bridge.pfil_bridge under System > Advanced on the System Tunables tab. With them set at 0 and 1, respectively, then filtering would be performed on the bridge only. -
This was my setting just now (somehow, it has changed since last time - I restored the pfSense backup to a new server and maybe lost some config):
net.link.bridge.pfil_bridge Packet filter on the bridge interface 1
net.link.bridge.pfil_member Packet filter on the member interface 1From documentation, it looks like I'm supposed to only have one of them set to 1. I changed it to be:
net.link.bridge.pfil_bridge Packet filter on the bridge interface 1
net.link.bridge.pfil_member Packet filter on the member interface 0This should control the traffic onto the bridge only and not between the local interfaces. But this last step made all traffic bypass the firewall-rules I have on WAN-side as well… I could connect to computers over the Internet that I did not have opened up for. Is this because the Bridge-interface is controlling traffic both directions? How could I control it only one way?
I was under the impression that when I have a bridge, I can control the traffic from the Internet-side (WAN) and onto the bridge combined (LAN1, OPT1 etc).
How would I set this up so that I can control the traffic from WAN-side and in from the Internet - I do not need to restrict the traffic out from local side and out on the Internet. I have all rules on WAN-side today.
-
So what I want..
1. Create team (LACP) on pfSense (with two physical interfaces, LAN1, OPT1). The new joined local interface will be called LAN and will be connected against two stacked switched with LACP there also. This part is easy to do as far as I can tell and the interface appear as LAN as it should.
2. Create bridge with WAN and LAN, where I will have rules for incoming traffic from the Internet on the WAN-side. My ISPs gw is also on the WAN-side. Seems easy as well.
3. Add Bridge to a virtual interface, like OPT3?
4. Maybe using pfil_member=1, pfil_bridge=0 against the LACP team is the correct choice instead of the normal pfil_bridge setting in this case? So that I can control traffic one direction only.
I'm having public static IPs on my webservers on the LAN-side, that is the only reason why I have transparent fw setup.
Please let me know the correct settings in this scenario or at least an example that should work.
-
The absolute best thing to do is get your upstream to assign a small interface address for your WAN and ROUTE the subnet of addresses to you.
Then you can just put the routed subnet on an inside interface and forget about this transparent bridge stuff.
Have you asked them if they can do that?
