Failover Switches using LAGG on PFsense

FORTWIN2018

Hi,

I am trying to configure 2 Powerconnect N3048 in HA from pfsense. My thought was that I would be able to LAGG LACP 2 ports from the pfsense and connect them to 1 port on each switch. Does this sound correct?

stephenw10

You may be able to do that is the switches are stacked. It really depends how they are configured.

https://doc.pfsense.org/index.php/LAGG_Interfaces#Usage_with_Multiple_Switches

Steve

FORTWIN2018

The doc doesn’t really explain what I need on the switch side. If I stack the switches, if the master went down, wouldn’t the slave also be unavailable?

stephenw10

If you stack the switches and, say, the power supply fails on one the other would remain powered and the LAGG should start using that.

Really it depends entirely on how the switches are configured or what they're capable of and I've never used that switch so I can't comment there specifically.

Steve

FORTWIN2018

@stephenw10:

If you stack the switches and, say, the power supply fails on one the other would remain powered and the LAGG should start using that.

Really it depends entirely on how the switches are configured or what they're capable of and I've never used that switch so I can't comment there specifically.

Steve

That makes sense, so it sounds like I need to stack the switches first and then configure 1 port from each switch in a LAGG and also configure the each port going from the pfsense to the switch in LAGG as well.

stephenw10

Yes, that's what I would expect.

Steve

Derelict

In general, yes. All of your concerns really depend on what your specific switches do in that case.

Most of my work in that area has been done with Brocade ICX switches. In that case if a stack member was lost the whole stack rebooted without that member active unless hitless failover was enabled and had a couple of minutes to sync.

Your switch is probably completely different.

Switch>sh stack
T=845d42m45.2: alone: standalone, D: dynamic cfg, S: static
ID  Type          Role    Mac Address    Pri State  Comment                 
1  S ICX6430-24    active  cc4e.24b3.68b8 128 local  Ready
2  S ICX6430-24    standby cc4e.24b3.6978  0 remote  Ready

active      standby                                                     
    +–-+        +---+                                                       
=2/3| 1 |2/1==2/3| 2 |2/1=                                                   
|  +---+        +---+  |                                                   
|                        |                                                   
|------------------------|                                                 
Standby u2 - protocols ready, can failover
Current stack management MAC is cc4e.24b3.68b8
Switch>sh lag
Total number of LAGs:          2
Total number of deployed LAGs: 2
Total number of trunks created:2 (27 available)
LACP System Priority / ID:    1 / cc4e.24b3.68b8
LACP Long timeout:            90, default: 90
LACP Short timeout:            3, default: 3

=== LAG "Management" ID 81 (dynamic Deployed) ===
LAG Configuration:
  Ports:        e 1/1/14 e 2/1/14
  Port Count:    2
  Primary Port:  1/1/14
  Trunk Type:    hash-based
  LACP Key:      20081
Deployment: HW Trunk ID 1
Port    Link    State  Dupl Speed Trunk Tag Pvid Pri MAC            Name
1/1/14  Up      Forward Full 1G    81    No  81  0  cc4e.24b3.68c5  NAS_LAGG0 
2/1/14  Up      Forward Full 1G    81    No  81  0  cc4e.24b3.68c5  NAS_LAGG1

Port  [Sys P] [Port P] [ Key ] [Act][Tio][Agg][Syn][Col][Dis][Def][Exp][Ope]
1/1/14      1        1  20081  Yes  L  Agg  Syn  Col  Dis  No  No  Ope
2/1/14      1        1  20081  Yes  L  Agg  Syn  Col  Dis  No  No  Ope

Partner Info and PDU Statistics
Port      Partner        Partner    LACP      LACP   
          System MAC        Key    Rx Count  Tx Count 
1/1/14    0cc4.7a47.7be2      203  2404227  2427495
2/1/14    0cc4.7a47.7be2      203  2404222  2427495

dreamslacker

I assume you are referring to the Dell N3000 series switches here.

In that case, you can do a cross-switch LAGG if you fulfill either of the following 2 configurations on your switches:

1. You have the 2 switches configured in a MLAG and the Port-channel for the LACP ports is configured properly for your MLAG domain. I recommend using the 10GbE SFP+ ports on the front for MLAG configuration.

2. You are not using the MLAG but have the switches configured in a stack using the dedicated Mini-SAS Stacking ports on the rear of the units.

Derelict

So they support some form of Multi-Chassis Trunking (MCT) via this MLAG it sounds like. That should also work.

FORTWIN2018

@dreamslacker:

I assume you are referring to the Dell N3000 series switches here.

In that case, you can do a cross-switch LAGG if you fulfill either of the following 2 configurations on your switches:

1. You have the 2 switches configured in a MLAG and the Port-channel for the LACP ports is configured properly for your MLAG domain. I recommend using the 10GbE SFP+ ports on the front for MLAG configuration.

2. You are not using the MLAG but have the switches configured in a stack using the dedicated Mini-SAS Stacking ports on the rear of the units.

So it sounds like the following configuration would work:

Connect 2 SFP+ ports from the firewall to 1 SFP+ port on each switch
Configure the 2 SFP+ ports on the pfsense to LACP LAGG
Configure the SFP+ port on each switch to MLAG

No stacking necessary?

Derelict

Completely up to your switches. pfSense LACP will not care.