Re: M4300 SFP Port Trunking Issues
Accepted Solutions
Hi Kelvin,
It's a good news that the failover problem resolved.
Let's carry on the VRRP scenario.
I have checked the maintenance file just you sent to us.
1) Congratulation!The address (192.168.100.2 ) is the virtual IP address of VRRP on Firewall.
Because this IP have same prefix mac-address header just like (00:00:5E:00:xx:xx).
It's the standard of VRRP for mac-address behavior.
2) Good finding! The "Link state detection” is very useful for VRRP status.
So we need to set the IP for heartbeat on each Firewall that could monitor VRRP all the time.
But 192.168.100.1 is not the heartbeat address for Firewall that is VLAN interface on M4300-Stack.
So Could you set an IP address on Firewall A and B that is not VRRP protocol.
Such as:
192.168.100.10 /24 on Firewall A.
192.168.100.20 /24 on Firewall B.
Then,
Set Link state detection IP address to 192.168.100.20 on Firewall A.
Set Link state detection IP address to 192.168.100.10 on Firewall B.
That will make Firewall detect each other with this configuration.
3) Could you share me the configuration page or command on your Firewall about LAG/Port/IP address/VRRP configuration?
The private message is RECOMMENDED.
I'm not very professional on Firewall of other company.
Just want to help analyze.
Look forward to your reply.
Regards,
Daniel.
All Replies
Many thx for your reply. I then followed your advise to disable the routing on the vlan interface (routing -> vlan -> vlan configuration) , but with no luck, still have error. Also, I would like to ask about the concept of the layer 3 switch. If I don't set the vlan routing on the layer 3 sw, will the traffic be routed between vlan?
Hi Kelvin,
Please go to Routing-->IP-->Advance-->IP interface configuration.
The port routing mode can be change to disable or enable in this page.
You can get correct VLAN tag status after set port to Disable of Routing mode.
Maybe there will cause a broadcast storm after set port to layer 2 working mode(disable routing).
So please beware with loop between layer 2 network.
Otherwise, M4300 don't support MLAG function but VRRP is ready.
Please check configuration example from below link about VRRP function:
How do I configure the Virtual Router Redundancy Protocol (VRRP)
Or the user manual for M4300 about all function maybe you need to check:
M4300 Software Administration Manual
-->Page 156 chapter 10
Regards,
Daniel.
I think I found the solution, it's because the trunking setting. I reset the switch and start over again. instead making the port trunk in "switch - > vlan trunking configuration" (should be "switchport mode trunk" in CLI) , and changed the switchport mode from general to Trunk, it started to be abnormal. if I turn it on, I cannot mark the port as "T" in vlan membership. it's not about the routing I think? But this is so strange, since "switchport mode trunk" and "switchport trunk allowed vlan X" are nearly the standard command in differenct brand of switch? And I assumed that when I trunk those ports, it will be auto labelled the port as "T". In fact, It only allow either one? Since I didn't test it, i don't know which should be the correct approach to getting the trunk work?
In addition, I stacked 2 switches, one of them is standby, so I might be able to just LAG 2 ports in my layer 2 sw and do nothing in layer 3 since it seems to be a "virtual switch"?
Hi Kelvin,
Please find the instruction about Trunk mode with native VLAN as below:
So you can see the VLAN member is "U" on VLAN 1 due to 1 is native VLAN.
For other VLAN (2-4093) it will be "T" due to it is allowed trunk VLAN.
For your addition question,
It work as a whole switch after M4300 get stacked.
So you might treat the stack master and standby as a whole switch which have multi port.
Regards,
Daniel.
Hi Kelvin,
So you want to connect two port from GS748T to M4300 Stack as a redundancy link.
Both Port 47 or port 48 are fine to deploy your requirement.
I suggest you to create a LAG on both side and add connected port into it.
But The LAG type is LACP(dynamic) on M4300 by default and GS748T is static by default.
You need to make the LAG type to a same value as dynamic or static on both switch.(dynamic is RECOMMENDED )
Please check below document about how to creat LAG and set LAG type to dynamic and static.
-->chapter 3,page 68.
Please see my example as below:
Let us know if you have any further concern.
Regards,
Daniel.
almost done, but I cannot ping the firewall >_<, LAG is up, but connect connect from the layer 2 switch, my pc can ping reach every vlan interface
Hi Kelvin,
Thanks for your update.
The VLAN configuration will only effect on LAG port after you add 1/0/9,2/0/9 into LAG 6.
So we should mark the LAG 6 into VLAN 7 with Tag or Untag (according with your Firewall support to accept Tag packets or not)
I think most of Firewall just support untag mode of layer 3 interface just like yours.
So Could you please add LAG 6 into VLAN 7 with untag mode?
You can chose one of the three ways to deploy this configuration:
1) Set LAG 6 to general mode,
Set PVID 7 on LAG 6
Add LAG 6 into VLAN 7 with untag mode (U)
2) Set LAG 6 to Access mode,
Access VLAN 7.
3) Set LAG 6 to Trunk mode.
Allowed VLAN 7
Native VLAN 7
Let us know if you get new update
Regards.
Daniel.
Hi Kelvin,
It seems to be a routing problem.
Please check the following steps on your network:
1) The route to the special subnet on Firewall.
Such as:
192.168.0.x/24 192.168.100.1
192.168.1.x/24 192.168.100.1
192.168.2.x/24 192.168.100.1
192.168.3.x/24 192.168.100.1
192.168.4.x/23 192.168.100.1
192.168.6.x/23 192.168.100.1
Please add route for every subnet if thr firewall don't have these routes.
2) The default gateway on PC.(The gateway should be the IP address on VLAN of Stack)
Or you can add static route for every special subnet above if you don't want to set default gateway on your PC.
3) Make sure the IP routing is "enable" on Stack
Please try again after above checklist has been done.
Regards,
Daniel.
Hi Daniel,
Yes, that's the point, I've fixed it. Now I have the rest of 2 questions I think ( hopefully no more T_T)
1. HA Question
I now have 2 LAG, and connect to 2 firewalls that in VRRP mode, Firewall A is active while B is standby, eth3 and eth4 are formed as active/standby LAG wiht IP: 192.168.100.2/24.
as you can see at the previous post, I have 2 LAGs in switch stack.
1/0/9 and 2/0/9 in LAG1 and connect to eth 3 / 4 (aggr 1) of Firewall A
1/0/10 and 2/0/10 in LAG2 and connect to eth 3 / 4 (aggr 1) of Firewall B
LAG1 and LAG2 are in VLAN 7
Scenario 1.
unplug only eth 3 in firewall A, work well
Scenario 2.
upplug only eth 4 in firewall A, work well
Scenario 3.
unplug both eth 3 / 4 or poweroff firewall A, cannot switch to firewall B which is my expection
Scenario 4.
poweroff firewall B, work well
Since Firewalls are in VRRP protocol, i expect all traffic will be redirected to firewall B, but seems I have some conceptual mistake
2. Failover
I found that if stack master is failure, I cannot ping the vlan interface whether it is resumed or not. I have to poweroff the slave once to make it work again. is it normal?
Hi Kelvin,
It's all right.
Any posts is welcome
1. HA Question
For scenario 3,
Please check the VRRP status on Firewall B after you unplug both eth 3 / 4 or poweroff firewall A.
The VRRP status on Firewall B should be Master after Firewall A is down.
Please check VRRP function and configuration on Firewall A&B If above function don't work as expected.
I also have some suggest step for you to check VRRP function and configuration on Firewall:
1) VRRP need two router(Firewall) add in same virtual router group with same subnet IP address
such as:
Firewall A: 192.168.100.10 /24
Firewall B: 192.168.100.20 /24
2) A virtual IP address must be assigned in this virtual group.
such as:
Virtual IP: 192.168.100.30 /24
(you can also set virtual IP same with Firewall A or Firewall B, that will make the Firewall to be VRRP IP owner which have same address as Virtual IP)
3) All clients must set the gateway to Virtual IP instead of the IP on Firewall A or Firewall.
Such as:
PC: 192.168.100.201 /24, Gateway: 192.168.100.30.
4) Set LAG mode to LACP(dynamic)
This mode will detect&switch link status automatic when the link is down or unavailable.
(LACP mode of LAG must support on both side of Switch and Firewall as same time.).
such as:
Set LAG mode to dynamic LACP on Switch: Static mode-->Disable (Go to Switch--->LAG--->LAG configuration-->Select LAG port--->Static Mode)
Set LAG mode to dynamic LACP on Firewall A&B.(Please check manual document of firewall)
5) <*Optional>these extra function will help you to monitor and control VRRP more Reliable.
Set VRRP track interface on Firewall(if supported)
Set VRRP Router Priority and Preemption on Firewall(if supported)
2. Failover.
1) Please check the LAG configuration on both side(stack and GS748T)
All LAG member and LAG port should have same VLAN configuration.
2) Please modify the LAG type to dynamic LACP mode on stack.
such as:
Set LAG mode to dynamic LACP on Switch: Static mode-->Disable (Go to Switch--->LAG--->LAG configuration-->Select LAG port--->Static Mode)
On GS748T, the same LAG type should be configured.
Let me know if you have any update.
BTW,
Please send your maintenance to us if possible.
We can analyze your scenario more carefully with configuration file and topology.
Please follow as below step to send maintenance information.
How do I send diagnostic files from my Smart Switch to NETGEAR community moderators?
http://kb.netgear.com/app/answers/detail/a_id/31438
How do I send diagnostic files from my Managed Switch to NETGEAR community moderators?
http://kb.netgear.com/app/answers/detail/a_id/31439
Regards,
Daniel.
