LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-10-2012, 09:55 AM   #1
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350

Rep: Reputation: 127Reputation: 127
Need advice about redundant switches / LACP, stacking or ...


A company I work for needs to upgrade the network infrastructure for better reliability/redundancy.
What we want is to duplicate everything - firewalls, servers and switches.
The problem I'm dealing with now is the switches - I'm not quite sure about how to configure them and thus unsure about what capabilities they must have.

See diagram for (a somewhat simplified) network layout. (Second firewall is not yet present, will be added later.)
We want to use tagged VLAN:s
Firewalls are pfSense active/passive with PoolDownServer configured.
Double servers with 2 bonded nic's each, mode active/passive.
All servers run SLES11.

Questions:
1) As only one nic on each server will be active at a time, can we use 2 separated switches or do they still have to be stacked or trunked together?
If so, is there an alternative to using stackable switches - I remember having read something about switch-trunking years ago but don't remember anything more?
2) Is this a good layout, or do you have a better idea?
3) Will the PoolDownServer actually work, will pfSense be able to direct traffic to correct server when one switch fails?
Attached Thumbnails
Click image for larger version

Name:	switch_spec.png
Views:	95
Size:	14.6 KB
ID:	8796  
 
Old 01-10-2012, 04:47 PM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
1. stacking is purely to aid management, functionally there is no difference between stacked and separate
2. As far as layout goes it's difficult to comment on, you can make things as complicated as your budget can afford. There is nothing specifically wrong with what you've planned.
3. No idea, I've never touched pfsense

There was only one thing I noticed in your diagram that should be changed, you seem to be using vlan 1 which is not usually a good idea as any untagged traffic will default to the same vlan.
 
1 members found this post helpful.
Old 01-13-2012, 09:03 AM   #3
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350

Original Poster
Rep: Reputation: 127Reputation: 127
Thanks for your reply!
Now I wonder:
1) Functionally no difference, you say - are you sure about that?
The way I understand it you can't use LACP with ports on different switches - from what I've seen switches support static LACP only. However, when 2 switches are stacked then one port on each switch can be aggregated together.
Have I misunderstood this?
2) Of course, depends on the budget..
Let's say we want to keep the switches below 1000$, absolutely not above 2000$ (each, then).
And thanks for the reminder about VLAN numbering!
 
Old 01-13-2012, 09:23 AM   #4
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350

Original Poster
Rep: Reputation: 127Reputation: 127
Let me explain a little more detailed what I'm worrying about.
Look at the new diagram:

Firewall has 2 nic:s (named here 10 & 11).
Firewall is configured so that by default all traffic goes out on nic 10 -> server1.
When server1 doesn't respond, traffic is instead sent to server2 using nic11.
Each server has 2 nic's, bonded together to one interface.

So, by default traffic flows on links 10:1 -> 10:2
Now what happens if link 10:2 is broken?
Will firewall assume webserver1 is down and start sending to webserver2, or will it send out on 11:1 to server1 meaning swith11 should send on link 10:3?
My guess is traffic will go to server2, but I'm definitely not sure.

Maybe we shouldn't use the failover option but just use LACP on firewall instead?
Can that be done without using LACP on the switches?

As you can probably see I'm a bit confused here, any help is much appreciated!
Attached Thumbnails
Click image for larger version

Name:	switch_spec2.png
Views:	52
Size:	8.1 KB
ID:	8824  
 
Old 01-13-2012, 11:36 PM   #5
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
As long as you have spanning tree running, a single failure will have no impact to service. Rapid Spanning Tree is the current incarnation and is pretty quick compared to the original version.

You haven't mentioned how your servers are load balanced ... ?

And yes, you are correct - LACP will not bundle links across separate switches.

Last edited by kbp; 01-13-2012 at 11:39 PM.
 
Old 01-15-2012, 04:23 AM   #6
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350

Original Poster
Rep: Reputation: 127Reputation: 127
Quote:
Originally Posted by kbp View Post
You haven't mentioned how your servers are load balanced ... ?
Ah, one very important thing I forgot!
They are not load balanced, we can't use that! Can't give you details, you just have to believe this.
That is why I want to use the feature of "PoolDownServer", which automatically directs traffic to one server only. When primary server is down traffic goes to secondary only - a few small cli-scripts runs automatically on secondary when certain traffic hits it (well, that's the plan so far, we're still in early planning stage).
In this scenario, we will use bonding/lacp on the servers, each nic connected to a separate switch.
The switch-ports connected to must then also be bonded, right? Which could be done only if the switches are stacked if I got it all right.
... or is this true? Traffic will only go through one link at a time so maybe we don't have to bond the switch-ports?
 
Old 01-15-2012, 05:45 AM   #7
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
Sorry I forgot you mentioned pfsense... the bonding is to allow communication to continue in the event of a switch failure, you can use active/passive for this. Your PoolDown configuration will allow for the failure of a server. Unless you want to increase bandwidth to greater than 1 link there is no need for LACP/multiple links between a switch and a server.
 
Old 01-15-2012, 07:26 AM   #8
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350

Original Poster
Rep: Reputation: 127Reputation: 127
Quote:
Originally Posted by kbp View Post
Sorry I forgot you mentioned pfsense... the bonding is to allow communication to continue in the event of a switch failure, you can use active/passive for this.
Exactly!
Quote:
Unless you want to increase bandwidth to greater than 1 link there is no need for LACP/multiple links between a switch and a server.
But I want to use 2 switches, that's why I need multiple links between switches and servers.
So I guess this puts me back to my first question: "As only one nic on each server will be active at a time, can we use 2 separated switches or do they still have to be stacked or trunked together?"
(Because, if I got it right, with stacked switches I can use LACP to combine 2 ports on separate switches.)
 
Old 01-15-2012, 03:20 PM   #9
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
Separate switches is fine for active/passive (mode 1)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: 3M, IBM collaborate on chip stacking LXer Syndicated Linux News 0 09-08-2011 01:30 AM
redhat el4 bonding round robin and LACP testin, bad results help? zerobane Linux - Networking 14 12-01-2009 03:17 PM
LXer: Geronimo stacking up against Web 2.0 concepts LXer Syndicated Linux News 0 01-27-2007 03:03 AM
LXer: Enterprise Unix Roundup: Stacking Up LinuxWorld LXer Syndicated Linux News 0 08-19-2006 05:54 PM
lacp timeout, modem hangup mseq1 Linux - Newbie 1 08-06-2004 07:22 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:04 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration