Interface Assignment - Best Practices for LAN and Management VLAN
-
Hi,
I'm looking for advice on assigning interfaces, primarily for "LAN" which has the preconfigured anti-lockout rule. I have 6 NICs on my baremetal box, 2 LOM and 4 Intel PCIE NIC. The plan is to have:
-
intel0 - WAN
-
intel1 - LAN-LAGG(lacp) 1/2
-
intel2 - LAN-LAGG(lacp) 2/2
-
intel3 - OPT
-
lom0 - MANAGEMENT VLAN
Unrelated to pfSense I'll also have:
- lom1 - IDRAC (for remote management of the bare metal box itself).
When assigning an IP for the Initial setup it creates a bunch of anti-lockout and open firewall rules for "LAN". I know I can manually re-create these rules, but for me the 'spirit' of the initial "LAN" setup points in the direction of the management VLAN. Are there any drawback to having the "LAN" actually be my management VLAN, and configuring my actual LAN (not to be confused with "LAN") afterwards?
-
-
No, other than you confusing yourself what is what ;)
So how fast is your wan that you think you need lagg setup? Or your just doing that for failover?
-
Thanks, we'll have to see how confused I get :D –> :o
Using LAGG for failover in this instance. I have the ports so why not is my thinking. Might do LAGG for my WAN as well for the same reasoning - any drawback to that?
-
Complexity for most of the time zero reason. Production shop where if switch goes down you loose $$$ ok.. So you send 1 connection 1 switch in stack and other to other switch in stack for your lagg.
In home/lab setup = like ZERO reason to do it.. Other than you can.. Many people have the misunderstanding that they think 1+1 = 2, no 1+1 with lacp, lagg, etherchannel, portchannel, etc. 1+1 = 1+1.. Do you have a shitton of devices where you might be able to leverage some loadbalance? If not then pointless add complexity..
You have another nic, use it for a different network segment. This way your not hairpinning connections on vlans using the same physical nic would be a much better use of the nic.
Switch ports get used up faster than you think.. Using an extra one on your switch just for the added complexity of lagg because you think its sitting there idle again pointless.
But hey have fun with it ;)
-
I have an LACP LAGG from my main switch to the one at my desk. No, I don't need it. It's more an exercise to see if it ever gives me any problems (Cisco SG300 <=> D-Link DGS-1100) Several weeks so far so good. Even using SFP/fiber because it looks cool. :)
-
"because it looks cool."
Well yeah.. But Derelict, your skill set is a bit higher than the user coming here asking if he should use a different interface other than his lan for management.. Just saying ;)
KISS is what I would suggest.. Down the road and you want to have it look cool like Derelicts setup then sure ;)
-
But how do you learn things if you don't play with them and experiment? I never like hearing, "It's scary, stay away!" When I first came here 2+ years ago, I knew literally nothing. Only through trying things I'd never done before, as well as offering help on stuff I wasn't 100% clear on and teaching myself as I went, has taught me so much over that time.
-
It's not scary… just pointless..
As a learning exercise ok sure, but doesn't even seem like he has is pfsense up and running yet..
Once he has it up and running and working exactly how it wants it too.. Sure that is when you starting "playing" with other stuff.. That is all I am trying to say. Not trying to discourage the guy or anything. It just doesn't bring anything to table as far as having working/stable setup.. Until he has that I wouldn't go playing thing that complex it up for no actual reason.
-
Amen. Keep it simple then add technologies one at a time if you want to experiment. But then when you are posting on a forum you are not asking someone for help with an LACP problem to solve what is really a basic issue.
People get too wrapped up in configuring too many things at ones. Eg. If you are going to do 20 VLANs, do one and get it working right first.
