Solved

Dual links to offsite building

  • 8 April 2019
  • 3 replies
  • 266 views

I have a building that we are bringing up dual links to.
The current configuration is a single fiber between both buildings carrying multiple vlans.
We are getting a wireless link to allow for fail over / redundancy.
I want to be able to use both links, and automagically fail over if one path isn't working.
If the fiber get's cut, link drops, and the switch can see that.
However, the wireless link will go over an ISP managed tower.
I have been trying to find a solution and somehow enable sharing between the buildings.
The trouble I am having is getting my switches to figure out that the second wireless link has failed somewhere along the path, and disable traffic across it.
There are going to be multiple devices across the wireless link, so my normal sharing doesn't seem to cut it.
I understand I could use a software redundant port, but if link to the wireless doesn't drop I don't think it will disable traffic across the wireless, if one of the radios quit's or one of the other devices along the path quits.
icon

Best answer by Kyle.Wingate 10 April 2019, 19:51

Here is what I have ended up doing.
On the x450a's, I created policies, and added tagged vlan's to port 23 and 24.
I created a policy to allow LACP packets through.

Policy name: lacp24.pol
entry lacp-to-port-24 {
if {
ethernet-type 0x8809 ;
} then {
redirect-port 23 ;
count port24
}
}

I created a second policy replacing 24 with 23 and 23 with 24 in above policy, and named it lacp23.pol

I applied the policies to the pass through ports:
configure access-list lacp23 ports 23 ingress
configure access-list lacp24 ports 24 ingress

I added tagged vlan's to ports 23 and 24.
configure vlan foo add ports 23-24 tagged

On the x450e's I set up sharing on ports 47 and 48.
enable sharing 1:47 grouping 1:47-48 algorithm address-based L2 lacp

I configured lacp for a short timeout.
configure sharing 1:47 lacp timeout short

I added my tagged vlan's to port 47.
configure vlan foo add ports 1:47 tagged

For testing this, I added ip addresses to vlan foo on the x450e's, ip routes, and untagged ports in the vlan.
I cabled everything up, set up my laptop on the 4th switch to ping the first, and it worked!
I did notice that I would lose a packet when pulling the cable between switch 2 and 3, and it would take about 3 seconds to remove the port from the AGG group, but that is expected.

I hope this helps those in the future, and remind me next time I have to set this up.
View original

3 replies

Userlevel 1
Hello Kyle,

I'm not sure what you've tried since you say your "normal sharing doesn't cut it". So my reply might be "teaching your grandmother to suck eggs"

The simplest method would be to deploy a link aggregation group combining both of the links (assuming they are the same speed). Configuring these as dynamic will result in LACP PDUs being transmitted which will be used to ensure that you have end to end reachability through the multiple hops of the wireless link. You can coarsely tune the timers of LACP, by using short timers you could end up with failure detection of about 3 seconds if you have to rely on LACP timing out. This does assume that the wireless gear will pass these PDUs and not consume them, so you would need to check with your provider.

An alternative may be to run per-VLAN spanning tree, configured so that half of your VLANs have one link as the primary path and the other half have the other link as their primary.

Steve
Let me expand on how I intend on getting from my core to the ISP tower.
This would be the second link to the clinic, and link 1 is direct single mode fiber.
X670-G2 ---> X450a-24x ---> X450a-24x ---> ISP controlled Cisco Rukus connected to tower
All links are will be 10 gig fiber.

I do like to keep things as simple as possible.
This is the normal sharing setup I use.
enable sharing 1:47 grouping 1:47-48 algorithm address-based L2
The trouble that I am having with this type of sharing group is that if link drops between the 450's or anywhere else along the path, sharing doesn't remove the link as an AGG member, which seems to point to it still being used.

If I add LACP to the end of the line, it does add LACP to the Agg control type, as seen below.
I can only assume that this is "dynamic"?

* Slot-1 Switch1 # sho sharing
Load Sharing Monitor
Config Current Agg Ld Share Ld Share Agg Link Link Up
Master Master Control Algorithm Group Mbr State Transitions
==============================================================================

1:47 LACP L2 1:47 - R 0
L2 1:48 - R 0
==============================================================================

Right now on my test bench I have the following setup.
X450e ---> X450a ---X450a ---> X450e
What I don't see, is lacp passing between the 450e's.
The 450a's would be the ones that I would use in production.
Is there a specific setting that I need to use to have the 450a's pass the LACP PDU's?
Right now I have the X450a's setup with the ports tagged on all the vlan's, just like I would normally set up a "daisy chain" type of path.
I am aware that "show lacp counters" command shows the packets, but all i see is TX, and no RX, and it doesn't seem to add the port to the sharing group as an AGG member.
Here is what I have ended up doing.
On the x450a's, I created policies, and added tagged vlan's to port 23 and 24.
I created a policy to allow LACP packets through.

Policy name: lacp24.pol
entry lacp-to-port-24 {
if {
ethernet-type 0x8809 ;
} then {
redirect-port 23 ;
count port24
}
}

I created a second policy replacing 24 with 23 and 23 with 24 in above policy, and named it lacp23.pol

I applied the policies to the pass through ports:
configure access-list lacp23 ports 23 ingress
configure access-list lacp24 ports 24 ingress

I added tagged vlan's to ports 23 and 24.
configure vlan foo add ports 23-24 tagged

On the x450e's I set up sharing on ports 47 and 48.
enable sharing 1:47 grouping 1:47-48 algorithm address-based L2 lacp

I configured lacp for a short timeout.
configure sharing 1:47 lacp timeout short

I added my tagged vlan's to port 47.
configure vlan foo add ports 1:47 tagged

For testing this, I added ip addresses to vlan foo on the x450e's, ip routes, and untagged ports in the vlan.
I cabled everything up, set up my laptop on the 4th switch to ping the first, and it worked!
I did notice that I would lose a packet when pulling the cable between switch 2 and 3, and it would take about 3 seconds to remove the port from the AGG group, but that is expected.

I hope this helps those in the future, and remind me next time I have to set this up.

Reply