[pfSense] NIC Failover

Austin G. Smith Austin at digitalcompass.com
Mon Sep 12 01:57:16 EDT 2011 

It sounds like you are not talking about link aggregation at all if you are going to use STP to handle failover between the various legs.  Basically, with link aggregation, you have 2  (or more) physical connections that you logically make 1 single, higher bandwidth connection.  In the event a link goes out, you simply lose the additional bandwidth it provides.  This needs to be setup on the switch AND the pfsense box to work correctly.

The best method to go about in any design is to Keep It Simple- dont over complicate the network if you can help it.  Granted, sometimes there are space / power / budget issues that make you "work around" an ideal setup- but the best rule of thumb is to keep it as simple as you possibly can!  

If you need the bandwidth, link aggregate.  If you just want the redundancy, use stp or a derivative there-of and call it a day.  There have been some very good points brought up in your thread here that should be listened to and weighed appropriately for your environment.  You know it best.  I would highly recommend you do some heavy research on both STP and LACP/LAG and the benifits they each have. After you have layer 1 and 2 ideal, then you can work on layer3 and up.  Even tho there is a layer4 instance of LAG......

I wish you the best in your endevors!

Austin Smith, A+, NET+, SMBE, MCSA
Director of Information Techology
Digital Compass

(404) 410-2708 direct
(404) 410-2701 fax
949 W. Marietta Street, Suite x104
Atlanta, GA 30318

**For immediate assistance please contact our technical team at 888-640-2260**

________________________________________
From: list-bounces at lists.pfsense.org [list-bounces at lists.pfsense.org] on behalf of Joseph Hardeman [JHardeman at cirracore.com]
Sent: Sunday, September 11, 2011 10:23 PM
To: 'pfSense support and discussion'
Subject: Re: [pfSense] NIC Failover

Interesting

I do now when building out a redundant network so that you have multiple paths to the same destination, you have to have some sort of method allowing traffic to be able to change its path if a switch or fiber in the middle goes down, while VLAN's do help in separating traffic RSTP allows for the quickest way for traffic to switch between network links.  For instance if you have a circle network (basically a loop) Spanning-tree or Rapid Spanning-tree helps manage what path is chosen, basically disabling the other path, and keeps the network from over running itself by the loop, just like OSPF also will help direct traffic by opening the shortest path.

Actually the LAGG I was speaking about was the LAGG configuring in pfSense not on the switch side, when the IP moved over to the failover NIC on pfSense then spanning tree would kick in on the vlan that is running that network and see that it is now available off a different leg than previously.

Now, I of course could definitely be wrong about spanning tree and the best way to manage a network, there a whole lot of smarter people out there than me and I am quite aware of my limitations.  :-)  So I am more than happy to hear and learn of a better way of doing things.  Anything I can do to make our lives easier I am happy to do.

Joe


-----Original Message-----
From: Jim Thompson [mailto:jim at netgate.com]
Sent: Sunday, September 11, 2011 9:12 PM
To: Joseph Hardeman
Cc: 'pfSense support and discussion'
Subject: Re: [pfSense] NIC Failover

Most of the issues with STP are dealt with via 802.1w (rapid spanning tree)

On Sep 11, 2011, at 9:15 AM, Joseph Hardeman wrote:

> Hey Everyone,
>
> So I can do the failover and yes all of the switches are managed.  I did see where to setup the LAGG on the pfSense system.  I have to deconfigure the two nics I want to use and then set them up in failover mode I think.  On the switch side, I was using 2 separate switches with rapid spanning tree on their uplink ports and ports to the pfSense system to assist in fast failover.  I will give it a shot on Monday and see how it goes.
>
> Thanks.
>
> Joe
>
> -----Original Message-----
> From: list-bounces at lists.pfsense.org [mailto:list-bounces at lists.pfsense.org] On Behalf Of Chris Buechler
> Sent: Sunday, September 11, 2011 1:04 AM
> To: pfSense support and discussion
> Subject: Re: [pfSense] NIC Failover
>
> On Sun, Sep 11, 2011 at 12:46 AM, Austin G. Smith <Austin at digitalcompass.com> wrote:
>> I have had issues with stp on the firewall in this type setup previously.
>> Mileage may vary for others..
>>
>
> If you're bridging, yeah that can be a concern depending on your config. Failover lagg without bridging won't cause any issues with STP though. May see switches on occasion that have an issue with a MAC quickly moving from one port to another related to its CAM table, or sometimes with security features on the switch, but that's pretty unusual with typical switch configs. And usually in that scenario you're going to be on two diff switches anyway with failover lagg.
> _______________________________________________
> List mailing list
> List at lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
> _______________________________________________
> List mailing list
> List at lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list

_______________________________________________
List mailing list
List at lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

More information about the List mailing list