NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
M4300 SFP Port Trunking Issues
Hi all, I recently purchased 2 new M4300 and form a stack. After stacking the SW, I started to setup the switch as normal, the management VLAN, IP, the rest of vlan, subnet of those VLAN. Since i...
Hi Kelvin,
It's a good news that the failover problem resolved.:smileyhappy:
Let's carry on the VRRP scenario.
I have checked the maintenance file just you sent to us.
1) Congratulation!The address (192.168.100.2 ) is the virtual IP address of VRRP on Firewall.
Because this IP have same prefix mac-address header just like (00:00:5E:00:xx:xx).
It's the standard of VRRP for mac-address behavior.
2) Good finding! The "Link state detection” is very useful for VRRP status.
So we need to set the IP for heartbeat on each Firewall that could monitor VRRP all the time.
But 192.168.100.1 is not the heartbeat address for Firewall that is VLAN interface on M4300-Stack.
So Could you set an IP address on Firewall A and B that is not VRRP protocol.
Such as:
192.168.100.10 /24 on Firewall A.
192.168.100.20 /24 on Firewall B.
Then,
Set Link state detection IP address to 192.168.100.20 on Firewall A.
Set Link state detection IP address to 192.168.100.10 on Firewall B.
That will make Firewall detect each other with this configuration.
3) Could you share me the configuration page or command on your Firewall about LAG/Port/IP address/VRRP configuration?
The private message is RECOMMENDED.
I'm not very professional on Firewall of other company.
Just want to help analyze.:smileyhappy:
Look forward to your reply.
Regards,
Daniel.
Hi Kelvin,
It's all right.
Any posts is welcome :smileyhappy:
1. HA Question
For scenario 3,
Please check the VRRP status on Firewall B after you unplug both eth 3 / 4 or poweroff firewall A.
The VRRP status on Firewall B should be Master after Firewall A is down.
Please check VRRP function and configuration on Firewall A&B If above function don't work as expected.
I also have some suggest step for you to check VRRP function and configuration on Firewall:
1) VRRP need two router(Firewall) add in same virtual router group with same subnet IP address
such as:
Firewall A: 192.168.100.10 /24
Firewall B: 192.168.100.20 /24
2) A virtual IP address must be assigned in this virtual group.
such as:
Virtual IP: 192.168.100.30 /24
(you can also set virtual IP same with Firewall A or Firewall B, that will make the Firewall to be VRRP IP owner which have same address as Virtual IP)
3) All clients must set the gateway to Virtual IP instead of the IP on Firewall A or Firewall.
Such as:
PC: 192.168.100.201 /24, Gateway: 192.168.100.30.
4) Set LAG mode to LACP(dynamic)
This mode will detect&switch link status automatic when the link is down or unavailable.
(LACP mode of LAG must support on both side of Switch and Firewall as same time.).
such as:
Set LAG mode to dynamic LACP on Switch: Static mode-->Disable (Go to Switch--->LAG--->LAG configuration-->Select LAG port--->Static Mode)
Set LAG mode to dynamic LACP on Firewall A&B.(Please check manual document of firewall)
5) <*Optional>these extra function will help you to monitor and control VRRP more Reliable.
Set VRRP track interface on Firewall(if supported)
Set VRRP Router Priority and Preemption on Firewall(if supported)
2. Failover.
1) Please check the LAG configuration on both side(stack and GS748T)
All LAG member and LAG port should have same VLAN configuration.
2) Please modify the LAG type to dynamic LACP mode on stack.
such as:
Set LAG mode to dynamic LACP on Switch: Static mode-->Disable (Go to Switch--->LAG--->LAG configuration-->Select LAG port--->Static Mode)
On GS748T, the same LAG type should be configured.
Let me know if you have any update.
BTW,
Please send your maintenance to us if possible.
We can analyze your scenario more carefully with configuration file and topology.
Please follow as below step to send maintenance information.
How do I send diagnostic files from my Smart Switch to NETGEAR community moderators?
http://kb.netgear.com/app/answers/detail/a_id/31438
How do I send diagnostic files from my Managed Switch to NETGEAR community moderators?
http://kb.netgear.com/app/answers/detail/a_id/31439
Regards,
Daniel.
Hi Daniel,
I fixed the failover problem by enabling the dynamic LACP mode in both stack and layer 2 switch. Awesome!
for the question 1, I would like to reply the your suggestion first
1. Yes, master and slave a connect with same subnet address and has 1s heartbeat to detect each other
2. and 3. The firewall doesn't have virtual IP, it not the same as the VRRP standard protocol, instead, they sync the setting from each other, that means firewall A and B has the exact same setting except the heartbeat interface, so the only way I can identify them are the heartbeat interface. also, when I have switch and connect both firewall at the same time with the eth ip address, i'm always connected to the firewall A if it is in normal state, once it failed, i will redirect to firewall B. in this situation, the virtual ip is not a must I think?
4. I cannot find any setting on the Firewall about dynamic LACP (I think this is the key), the firewall has the option called "Link state detection" which allow me to set an IP address to have periodic check like heartbeat, I set 192.168.100.1 in that field
5. Yes, I have this setup and it's already enabled
Test
1. unplug eth 3 / 4 at the same time in Firewall A
yes, Firewall B became Active, and LAG to Firewall A was down in switch stack, LAG to Firewall B is still up, when I plug back eth 3 and 4 at Firewall A, it become Active again, and B to standby (So, it obviously detect the link failure!!!!)
2. set LAG to Firewall A and B to dynamic LACP
since I don't have any setting that allow me to enable dynamic LACP, yes, the state was changed to down as expected
I think LACP is the key but I cannot prove it, I'm going to upload my log, you may have a check on it. Thanks for helping me a lot
all related log and config are sent to switch_support@netgear.com already~
Hi Kelvin,
It's a good news that the failover problem resolved.:smileyhappy:
Let's carry on the VRRP scenario.
I have checked the maintenance file just you sent to us.
1) Congratulation!The address (192.168.100.2 ) is the virtual IP address of VRRP on Firewall.
Because this IP have same prefix mac-address header just like (00:00:5E:00:xx:xx).
It's the standard of VRRP for mac-address behavior.
2) Good finding! The "Link state detection” is very useful for VRRP status.
So we need to set the IP for heartbeat on each Firewall that could monitor VRRP all the time.
But 192.168.100.1 is not the heartbeat address for Firewall that is VLAN interface on M4300-Stack.
So Could you set an IP address on Firewall A and B that is not VRRP protocol.
Such as:
192.168.100.10 /24 on Firewall A.
192.168.100.20 /24 on Firewall B.
Then,
Set Link state detection IP address to 192.168.100.20 on Firewall A.
Set Link state detection IP address to 192.168.100.10 on Firewall B.
That will make Firewall detect each other with this configuration.
3) Could you share me the configuration page or command on your Firewall about LAG/Port/IP address/VRRP configuration?
The private message is RECOMMENDED.
I'm not very professional on Firewall of other company.
Just want to help analyze.:smileyhappy:
Look forward to your reply.
Regards,
Daniel.
PM was setn:smileyhappy:
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
