How to trunk or LACP 2 ports on the Zywall VPN300

jjimenez
jjimenez Posts: 4  Freshman Member
First Comment
edited April 2021 in Security

I want to trunk 2 LAN ports on the Zywall VPN300 to a XS1920 12port switch

There's no LACP section on the zywall, and the trunk section only refers to WAN interfaces

How can i do this?

All Replies

  • PeterUK
    PeterUK Posts: 3,503  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    If supported you would see a LAG tab in Interface so the VPN300 don't support the LAG you need, see page 29.

    ftp://ftp.zyxel.com/VPN300/user_guide/VPN300_V4.31_Ed1.pdf

    You can run a static LAG by bridges but I don't think that will help you.

  • jjimenez
    jjimenez Posts: 4  Freshman Member
    First Comment

    well i guess it can't be done. i wrote an email to support just in case. way cheaper routers from other brands allow to trunk interfaces on the lan side.

  • warwickt
    warwickt Posts: 111  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    HI jjimenez I'm not familiar with the zyxel xs1920 switch however it is an L3/L2 switch nBaseT by the looks.

    This might assist in some way or show others how it may be done.

    Perhaps this also should be in the SWITCHES forum

    What we did with USG110/x60's and Zyxel GS2210 L2 switches with LACP.

    However we have implemented LACP with zyxel USG110 / USG60's appliances using the zyxel GS2110 switches (24 / 28 ports) with great success.

    Here's the coarse overview of what is we did to do this with 1xGbE groups of multiple NICS for these hosts.

    • FreeBSD11 appliances using Intel i350-T4V2 HBA's (LAGGn)
    • MACOS 10.12+ using various USB3/Ethernet and Thunderbolt/Ethernet adapters and various OWC Thunderbolt Docks. (BONDn)

    Assumptions to your xs1920 switch (apologies - don't know much about it)

    You have already:

    • control access from USG300VPN to xs1920
    • DHCP server relay from zs1920 to USG300VPN or similar

    Here's what we did to get LACP up and working (great BTW) - this is our LAB setup :

    ZYXEL USGxxx router:

    1. configured LAN3 as a HEAVY LIFTING with local DHCP and local DNS
    2. VLAN configured VLANxx with static IPV4 to manage administration from other LANs.
    3. specified DHCP pool and defined DHCP M.A.C. reservations (see later) used for local DNS - no OSPF


    L2/3 Switch (we use zyxel GS2210)

    1. relayed DNS router LAN1 etc(you have this already I assume)
    2. define a specific VLAN (i.e. "vlan95") - untag the ports
    3. noted specific PORTS in the switch for use by each HOST (up to 4 connections for each). Example host 1: port1-4, host2: ports 5-6, host3: ports 10-13, host, and so on.
    4. Leave/reserve ports 19-28 as DHCP use by anyone on VLAN95 - for example any host that wants a non-LACP/LAGG connection with a single cable - no group assigned here!.
    5. use the switch functions to GROUP each of its ports in to groups (T1, T2 etc etc) to be used by each host. (Example: host1: Group T1, host2: group T2 etc)
    6. port LACP/LAGG selection as source-destination-ip

    Here's the simple VLAN(vlan95) in the switch - uses the USG60 router for DNS, DHCP etc

    msf-gs2210-01# show vlan 95
 802.1Q VLAN ID : 95
 Name 		:heavy
 Status 	 : Static
 Elapsed Time  : 2448:17:18
  
 Port Information Mode
 ---------------- ----
   1       Untagged
   2       Untagged
   3       Untagged
   4       Untagged
   5       Untagged
   6       Untagged
   7       Untagged
   8       Untagged
   9       Untagged
  10       Untagged
  11       Untagged
  12       Untagged
  13       Untagged
  14       Untagged
  15       Untagged
  16       Untagged
  17       Untagged
  18       Untagged
  19       Untagged
  20       Untagged
  21       Untagged
  22       Untagged
  23       Untagged
  24       Tagged
  
IP Address	Subnet Mask
 ---------------------------
 10.0.95.250	255.255.255.0
  
Default Gateway : 10.0.95.1

    Here the LACP/LAGG trunk 

    msf-gs2210-01# show trunk 
Group ID T1:	active 
 Criteria : src-dst-ip
 Status: LACP
 Member number: 6	 Member:1 2 3 4 5 6 
Group ID T2:	active 
 Criteria : src-dst-ip
 Status: LACP
 Member number: 2	 Member:9 10 
Group ID T3:	active 
 Criteria : src-dst-ip
 Status: LACP
 Member number: 4	 Member:17 18 19 20 
Group ID T4:	inactive 
 Criteria : src-dst-mac
 Status: -

---- snip snip snip snip -->>	
---- snip snip snip snip -->>

Group ID T13:	inactive 
 Criteria : src-dst-mac
 Status: -
 Member number: 0	
Group ID T14:	inactive 
 Criteria : src-dst-mac
 Status: -
 Member number: 0

    this is the LACP / LAGG set up for a couple of hosts.

    msf-gs2210-01# show lacp 
AGGREGATOR INFO:
ID: 1
 [(ffff,60-xx-xx-72-3e-7c,0001,00,0000)][(8000,xx-c9-xx-8f-2e,0001,00,0000)]
LINKS : [4]-[1]-[2]-
SYNCS : [4]-[1]-[2]-

ID: 2
 [(ffff,60-xx-xx-72-3e-7c,0002,00,0000)][(8000,xx-23-xx-e0-09-e2,0001,00,0000)]
LINKS : [9]-[10]-
SYNCS : [9]-[10]-

ID: 3
 [(0000,00-00-00-00-00-00,0000,00,0000)][(0000,00-00-00-00-00-00,0000,00,0000)]
LINKS : 
SYNCS : 

-- SNIP SNIP SNIP -->

-- SNIP SNIP SNIP -->

ID:14
 [(0000,00-00-00-00-00-00,0000,00,0000)][(0000,00-00-00-00-00-00,0000,00,0000)]
LINKS : 
SYNCS : 

msf-gs2210-01#


    Subtle extras for Host clients : jumbo frames, FreeBSD LAGG and MAcOS Create BONDx

    FreeBSD -
    • pretty easy with ifconfig lagg create (etc etc) - straightforward - plenty of documentation ( example to make these NICS igb{0-3} into lagg0 )
    • if_lagg_load="YES" etc
    • jumbo frames = 9000 work great
    • DHCP RESERVATION and LOCAL DNS: will be consistent - usually assigns M.A.C as the first nic added .
    MacOS -
    • use System Preferences / Network / + / Make New Virtual Interface / + / Make New Link Aggregation or
    • else use these CLI networksetup commands: example only
    • /usr/sbin/networksetup -createBond xxxxxx etc ect
    • DHCP RESERVATION and LOCAL DNS: may be very inconsistent if MAcS UI deleted and added - For Consistency: we use LaunchDaemon plist/script to always remove and re-create/add at startup (boot) - usually assigns M.A.C as the first NIC added - the the USG appliance will assign a reserved M.A.c to it then the local DNS works for these host interfaces.
    /usr/sbin/networksetup -createBond heavylifting en4 en5 en6 en7
/usr/sbin/networksetup -setMTU heavylifting 9000
/sbin/ifconfig -v bond0

$ /sbin/ifconfig -v bond0
bond0: flags=8843

    Lastly - performance vs availability?? FWIW

    Performance: frankly the same a a single cable (you have nBaseT so it will fly)

    Availability : with LACP/LAGG roundrobin is excellent for high transaction - else not worth doing .

    This is the basics using the L2 switch for the LACP/LAGG and NOT the USG appliance

    Ours Cases/Application: we use this VLAN with LACP for large transfer of rich media material (cxomppoits, masters, animation etc) to:

    1. isolate other LAN from trivial transactions local and upstream
    2. explicitly use JUMBO frames for those workstaiton and hosts requiring large rich media transferrs and READ access (FCPX etc) over GbE LAN.

    (yep maybe time to go full nBASEt lol ? )

    HTH , is of some help. One could write a small booklet on this lol! ?

    Regards

    warwick

    Hong Kong

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,518  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @jjimenez ,

    Welcome to Zyxel community. ?

    The VPN300 does not support the LAG function. For LACP(802.3ad) scenario, it must enable on both side. We will evaluate it and implement it in the future once it is confirmed.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)