Bonded / vLAN / LACP configuration

[stuartbh]

ProxMoxers,

I am interested to hear how other people might have or would recommend configuring for this scenario.

I have a Cisco 3560G switch configured for several VLANs and a ProxMox server (an Intel NUC) that has two Ethernet ports on it, one built in and one connected via on-board USB3 as part of "an upgrade LID" (both are Gigabit ports).

This is the configuration of the Cisco ports I plan to test with:

interface GigabitEthernet0/21
description NUC Ethernet port for LACP (on-board)
switchport access vlan 2
switchport trunk encapsulation dot1q
switchport trunk native vlan 123
switchport mode trunk
channel-group 1 mode active
spanning-tree portfast
end

interface GigabitEthernet0/22
description NUC Ethernet port for LACP (USB)
switchport access vlan 2
switchport trunk encapsulation dot1q
switchport trunk native vlan 123
switchport mode trunk
channel-group 1 mode active
spanning-tree portfast
end

Let us say (for example) I have 3 vLANs:

vLAN 1 - consists only of a DSL modem plugged into a port configured as an access port on the 3560G in vLAN 1
vLAN 2 - 192.168.0.0/16 network (main network)
vLAN 3 - 10.0.0.0/8 network (test network)

pfSense is running on a one Ethernet port system with access to a trunk port on the 3560G (so it can reach all vLANs). pfSense routes betwixt vLAN 1 and vLAN 2 (I will add vLAN 3 later once I get my firewall rules ready, for now vLAN 3 is stand alone with no internet access).

I'd like to have both Ethernet ports on the NUC running LACP to the 3560G on the trunked switch ports, so if one port fails it continues to run on a single port. I still want to be able to ssh to ProxMox (presuming it would be on vLAN 2) and for the VMs to be able to be on vLAN 2 or vLAN 3 based on per VM tagging.

I could then configure and test a new VM on vLAN 3, get it right and then move it to vLAN 2 when ready to be deployed or use the VM on vLAN 3 to test other hardware or that (like having a PXE server on vLAN 3 so I could boot up other items to test them or perform data recovery on them).

Any /etc/network/interfaces configuration recommendations would be most greatly appreciated. I plan to try some of my own tests later tonight or tomorrow afternoon after work.


Stuart

 

[stuartbh]

ProxMoxers,

There is no need to respond...I ended up figuring this out!

On the 3560G switch I used this:

interface GigabitEthernet0/21
description NUC Ethernet port for LACP (on-board)
switchport access vlan 2
switchport trunk encapsulation dot1q
switchport trunk native vlan 123
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
spanning-tree portfast

interface GigabitEthernet0/22
description NUC Ethernet port for LACP (USB)
switchport access vlan 2
switchport trunk encapsulation dot1q
switchport trunk native vlan 123
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
spanning-tree portfast

Whilst my /etc/network/interfaces file looked like this (granted, I did configure it from the GUI)

# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

auto eno1
iface eno1 inet manual

auto enx000123456789
iface enx000123456789 inet manual

auto bond0
iface bond0 inet manual
bond-slaves eno1 enx000123456789
bond-miimon 100
bond-mode 802.3ad

auto vmbr0
iface vmbr0 inet manual
bridge-ports bond0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094

auto vmbr0.2
iface vmbr0.2 inet static
address 192.168.1.10/16
gateway 192.168.1.1

auto vmbr0.3
iface vmbr0.3 inet static
address 10.168.1.10/16
gateway 10.168.1.1

If a VM selects "vmbr0" as its interface and you leave the vlan tag empty it is a "trunked port on the VM" to a trunked port on ProxMox to a trunked port on the switch (if that makes sense). If you give the VM a vlan tag then no problem, the ProxMox vmbr0 port is vlan-aware and the switch is using a trunked port and you are on your way! Thus you can simply change a VM's vlan id from 3 to 2 and it will move from one vlan to the other.

By the way, if you install something such as pfSense into a ProxMox VM and do not give it a vlan id then it will be a trunked port facing pfSense and pfSense can route betwixt several vlans it knows about.

I hope this will be of use to someone in the future!

Stay safe, healthy, and avoid the thugs!

Stuart

 

[generalproxuser]

A couple of things that stand out to me.

LACP - Normally LACP (or etherchannels that use LACP) is setup with 2 minimum physical ports. Link Aggregation Control Protocol (LACP) essentially combines 2 or more physical ports into 1 logical port so using LACP on 1 physical port doesn't gain much (if any).

Your config is not something I normally see on a cisco switch.

interface GigabitEthernet0/21
description NUC Ethernet port for LACP (on-board)
switchport access vlan 2
switchport trunk encapsulation dot1q
switchport trunk native vlan 123
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
spanning-tree portfast

If you are creating a trunk port there should be no "switchport access vlan" lines since a trunk port will carry all vlans you specify with the "switchport trunk allowed vlan x". Your native vlan would be any vlan you want to have untagged when it ingresses or egresses.

Besides that, you got it working and for your use case I won't tread it too much. Just trying to offer some constructive criticism.