New device setup Question for GOLD.
Hi all,
I am Looking for some guidance help around installing a second switch into my current set up.
Currently my Set up is as follows:
Cable Modem > firewalla gold > Netgear GS724 Switch, all my other wires devices are plugged into the GS724 switch.
I am adding a second switch to my netgear that has POE so I can move my access points and any other POE devices I plan to add in the future.
I am looking for a way to hook up one switch to the other but have both switches also plugged into firewall gold so that if one of the switches is off or down there is still communication for the other switch via firewalla, also if firewalla was off then there should still be commication between the both switches. the second switch is a Netgear GS728TP V2.
What would the best way to achieve above with Firewall Gold without causing a network loop, if that is even possible?
-
Unfortunately there is no easy-way to achieve what you want...
to ensure that 2 out of 3 devices remain connected if anyone dies you need to connect all 3 together which requires all 3 devices (including firewalla) to support compatible spanning tree protocols... for reference you can see a decent doc for tp-link here: configuring_spanning_tree (tp-link.com) You will have to start with the netgear documentation specific to your switches, then setup a compatible stp on the firewalla itself.
In addition, keep in mind that the firewalla 4 ports are not hardware switch like common routers (like asus ones), practically all the traffic from one port to the other has to transit through the linux network drivers adding load on your device so when you configure your link priority you might want to keep one of the firewall->siwtch2 link at the lowest priority.
finally, network switch failures are so uncommon that you might want to reconsider and use a much simpler design where 1 switch is your "core", your firewalla, your other switches, access points etc all get connected to this core switch. Off the bat it will ensure that only internet traffic goes through the firewalla, you can use the interconnect ports to connect the switches together which optimize workload and should simplify administration.
In this case the core switch is a SPOF, but if that's really a concern, then buy 2 of them and configure them as backup using stp above (it will be easier since they are from the same manufacturer), you will also need extra cables for redundant links.
my 2 cents
-
Derek,
No good solution at the moment, just build a multi-port LACP LAG between the switches and connect the firewall to the root switch (as determined by RSTP, or the root as manually defined)
The firewalla is a Layer3 device (Router). I do not believe there is any risk of creating a loop 'through' the Firewallla appliance. For instance, I have all three of the 'lan' ports on my Firewalla Gold connected to the same physical switch. Each port carries one or more 'networks' using vlan tags. But the only reason I'm doing this is because I cannot build an LACP port channel from the Firewalla to the Switch. Otherwise I'd simply have a 3Gb LACP LAG that carried all of my vlans between the FWG and the Switch.
@Firewalla --- We want LACP.
-
*IF the FWG supported LACP, and you had multiple switches that could be 'stacked' or supported 'mlag', you could pull 2 cables from FWG to primary switch, and 1 cable to secondary switch. Then if the primary switch failed, everything on Switch 2 would still have a path to the FWG on all vlans.
-
Thanks for the reply, I have STP enabled on both the network switches currently and they are connected together.
The question was more around the firewalla, I wasnt sure if there was something that was possible or not with the box itself, it sounds like it is probably best to leave the switches connected together than have both connected to firewalla.
Thanks for answering the question anyway will rethink my set up as you say with the core switch
-
actually no... You don't want to cause a loop
if both switches are connected together and both are connected to firewalla, this is a physical loop. Then most likely you need to setup STP on the firewalla as well and/or make sure that the link between the 2 switches is marked as a backup link to avoid a loop but that will force all the traffic between the 2 switches to hit the firewalla which adding LAN traffic load to the appliance.
the simplest option is just to connect only 1 switch_1 to firewalla and connect switch_2 to switch_1 only.
-
Now you have my attention, I asked a question like this the other day, someone else responded and it gave me the impression connecting x2 switches to FWG would potentially cause a loop.
Only one if my switches support being stacked but certainly worth the upgrade to a second stacked switch so there is some redundancy in the event of a failure.
-
The FWG is operating as an L3 device, It would not cause issues to have multiple ports from Firewalla connected to one or more switches.
HOWEVER... You can only have one network assigned to a port natively, unless you use vlan tags. But the network or vlan can only be associated to a single physical port.
FWG does not support LACP, or any type of interface configuration that would allow you to failover between switches.
A lot of people keep asking for Link Aggregation, but Firewalla keeps insisting that we only need Link Aggregation if we have more than 1 GB Internet Connection.
-
Standard LACP is to bundle multiple circuits into one logical one ... and both sides need to be on the same switch. To use multiple switches together with the same router, it will work because STP will help you avoid the loops, but if you want both links from two switches of the same network to the router together, an additional protocol is needed (to replace the good old STP) ... this topology usually is a bit more difficult to manage.
-
I was thinking of just a single switch with 2 ports bonded together into 2 ports on the FWG that were bonded. That way when routing between VLANs you have that extra lane. So say you had a NAS on one VLAN and wanted to move large files from another VLAN. Something along those lines.
-
From a network design perspective, you should co-locate the NAS with the same LAN as the most bandwidth user. The problem you may encounter is likely [Some PC] -> Bonded interface-> Firewalla layer 3 -> same Bonded interface->Your Switch->[likely bond or 5g/10g switch to NAS]. This chain likely to be difficult to optimize ...
Please sign in to leave a comment.
Comments
11 comments