Best way to connect my switches (should i bridge or not)

[hagak]

So the main wisdom is not to bridge unless you have not other option. However the other thought is not to cascade switches unless you need to since if the first switch fails you lose both switches.

My hardware:
XG-7100 Netgate firewall
Unifi US-16-XG Switch (16 port 10G switch)
Unifi Switch Pro 24 port POE Gen2. (has SFP+ ports)

My network supports a fairly decent size SAN that has no issues saturating 10G and my client machines regularly show saturation of the 1Gbit networks (moving critical ones to the 10G switch when possible). Note this is for a home office with just a couple of users but both users complain loudly when we have outages.

I want both switches on the same broadcast domain. I see 2 options:
1. Connect one switch to the XG-7100 SFP+ and the other switch to the first switch (cascading them)
2. Connect both switches direct to the XG-7100 via the two SFP+ ports and bridge the 2 ports.


So is there another option I am not seeing? Will the XG-7100 become a major bottleneck if I bridge the 2 ports?

 

[Mithril]

Option 3: (Assuming support, I don't know those switches specs offhand). Have the US-16XG be your "primary" switch. Connect it to your 24port POE with 2x DAC or optics and set up LACP on both switches. Connect the XG-7100 to BOTH switches after configuring 2 of its ports as a "LAGG" (under interfaces in the PFsense webui) either "failover" (set the primary as the port you connect to your US-16-XG) or "roundrobin" (LACP would require multi-chassis LACP support on the switches, which if I had to bet I would not bet that they have it, and "loadbalance" looks to not handle link failures).

Not sure how many ports of what speed your NAS has, but you may be able to set something similar with an active/backup connection and/or have the backup connection be another IP. Without buying more hardware this feels about as redundant as you are going to get. If you have issues with the XG-7100s 1g ports (the may not be individually addressable) you might be able to set up a VLAN interface in PFsense and on the 24port.

 

[hagak]

Option 3: (Assuming support, I don't know those switches specs offhand). Have the US-16XG be your "primary" switch. Connect it to your 24port POE with 2x DAC or optics and set up LACP on both switches. Connect the XG-7100 to BOTH switches after configuring 2 of its ports as a "LAGG" (under interfaces in the PFsense webui) either "failover" (set the primary as the port you connect to your US-16-XG) or "roundrobin" (LACP would require multi-chassis LACP support on the switches, which if I had to bet I would not bet that they have it, and "loadbalance" looks to not handle link failures).

Not sure how many ports of what speed your NAS has, but you may be able to set something similar with an active/backup connection and/or have the backup connection be another IP. Without buying more hardware this feels about as redundant as you are going to get. If you have issues with the XG-7100s 1g ports (the may not be individually addressable) you might be able to set up a VLAN interface in PFsense and on the 24port.

Thanks for the 3rd option and that is one i was thinking oh but was unsure if I could do this without multi-chassis LACP? I guess using failover or roundrobin would resolve that issue.

 

[Mithril]

Thanks for the 3rd option and that is one i was thinking oh but was unsure if I could do this without multi-chassis LACP? I guess using failover or roundrobin would resolve that issue.

I know PFsense supports those options software wise, not sure what options you will have with your NAS device and that might be a dealbreaker. As far as bridging goes my recollection is that it "works" for 1Gb (but not recommended) so long as the system can keep up, 10Gb would very likely bottleneck. Also *in general* it's a bit more likely for a firewall/router to need to be rebooted from time to time for software updates if nothing else. (you DO keep your firewall up to date don't you? )

 

[hagak]

of course. my NAS is a FreeNAS server.

 

[Mithril]

of course. my NAS is a FreeNAS server.

Assuming you have 2 or more interfaces then FreeNAS should also support a similar failover setup to PFsense so you should be good to go!

 

[Mithril]

Good luck and please update us with your results!

 

[hagak]

Will do, need to schedule some time to get it redone but i think your plan should work well.

 

[hagak]

Update: Implemented Mithril's suggestions and it is working great. Thanks.

Looking into having a failover NIC for the FreeNAS device. I currently have the interface LAGG across 2 DAC connections to the 10G switch. However that only protects against a port or cable failure not a switch failure or maintenance. I think I might bond a 1G NIC attached to the 1G switch and have it in failover mode so that if I lose the 10G connection I still have a connection over the 1G to FreeNAS.

 

[Mithril]

Update: Implemented Mithril's suggestions and it is working great. Thanks.

Looking into having a failover NIC for the FreeNAS device. I currently have the interface LAGG across 2 DAC connections to the 10G switch. However that only protects against a port or cable failure not a switch failure or maintenance. I think I might bond a 1G NIC attached to the 1G switch and have it in failover mode so that if I lose the 10G connection I still have a connection over the 1G to FreeNAS.

I don't think bonding is what you want there. PFsense supports a failover mode that should work well. Other than that great to hear it's working well!