USG Flex 700 and GS1920-24HPv2 configuration help

jayd691
jayd691 Posts: 21  Freshman Member
Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula
edited April 2021 in Security
I need some assistance with the following configuration:

USG Flex 700 & GS1920-24HPv2 Switch
4 Port LAG between the two devices
3 vlans:
 - 1: Mgmt - 192.168.1.0/24 with the Flex being .1 and the GS being .2
 - 2: Bus - 192.168.10.0/24
 - 3: Guest - 192.168.50.0/24
I will be adding many more but once I have the LAG and management working I can figure it out from there

I am trying to create a 4 port lag between the Flex 700 and the GS1920 but cannot get the firewall to talk to the switch. I had set the base port for each vlan as lag1, but I am not sure if I need to give lag1 an ip address (with my current equipment, the lag does not get and address and uses the vlan router address as the gateway).

I also am not sure I have the vlans set up correctly on the switch for the port assignments and all.

If someone can help me get the basic config to work, I feel I will be able to handle the rest, but I cannot even get the management vlan working with lag.

Thank you in advance!
Tagged:

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,247  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    edited January 2021

    Hi @jayd691

     

    About LAG configuration you can refer to the following information:

     

    How to set up Link Aggregation Group (LAG)

    A Link Aggregation Group (LAG) allows you to combine a number of physical ports together to create a single high bandwidth data path. It helps to implement the traffic to perform load balancing or failover features, depending on the situation of the actual case.

     

    Set up the Active-backup, 802.3ad, Balance-alb

    Active-backup Mode:

    (Does not require switch configuration and one or multiple switches can be used.)

    Only the USG needs to be configured. You do not need to change any settings on the switch.

    On the USG, go to Configuration > Network > Interface > LAG.

    Choose the proper interface type and zone depending on the case. Also, select the slave ports that will be added in the LAG interface.


    Link Monitoring: Mii monitoring monitors the state of the local interface.

    Updelay is the time to wait to enable the slave port after the device detects the link recovery.

    Downdelay is the time to wait to disable the slave port after the device detects the link failure.


    802.3ad (LACP) Mode:

    (Both devices need to be configured. Only one switch can be used. The port speed and duplex must be the same.)


    The USG should be connected to only one switch and its settings should be the same as the switch. This utilizes all slave network interfaces in the active aggregator group according to the 802.3ad specification.

    Xmit Hash Policy:

    Xmit Hash policy: Select layer2 or layer2+3.

    Select layer 2 if the LAG interface is connect to a layer 2 subnet.

    Select layer 2+3 if the LAG interface is connect to a network with a router or a L3 switch. 

    LACP rate:

    The interval can be fast (every second) or slow (every 30 seconds).

    Balance-alb Mode:

    (Does not require configuration on the switch and one or multiple switches can be used.)


    Set up the balance-albmode.

     

    The VLAN interface is cross-connected to different switches and the link statuses on both switches are active.


    In this case, the LAG interface mode must be set to Balance-alb.

    The VLAN interface is cross-connected to different switches (fault tolerance).


    Only one link connection is up and the other is down. In this case, you will need to use the active-backup mode.


    You can find the LAG interface in the VLAN interface.

    Test the Result

    After the deployment you can see the interface status through Monitor>interface Status

    Below we are using 802.3ad LAG interface with Vlan66 for the example, unplug one of the network cable during the ping, the connection should still alive after one ping lost.



    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • jayd691
    jayd691 Posts: 21  Freshman Member
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula

    Hi Zyxel_Jeff,

    Thank you very much for the detailed information.

    I was able to set up according to my scenario and have traffic flowing, but I was told I had to set the ip address of the lag connection on the Flex 700 to the management ip address (192.168.1.1).

    I would like to leave the lag interface as the static 0.0.0.0 and set the management ip address via vlan1, and manage the equipment that way, just like you are showing in the test results.

    If I take off the ip address from the lag interface (I believe I will have to remove it first and create it again new as it requires an ip if it was created with one), and create vlan1 and select the lag port, it should work as I expect???

    I am hoping I had something wrong with the switch vlan setups when I had the lag interface on the Flex 700 set to no ip and could not pass traffic. Then I followed the instructions I was given to add an ip address to the lag on the firewall and reset the switch and it was passing traffic but I really want all the ip addresses on vlans instead of on the lag interface.

    Thank you very much. I am looking forward to getting my new setup configured and implemented.

    Jay

  • Did you ever figure this out? I have the EXACT same problem. This is a stupid design...You can't put VLANs on a LAG interface and have it pass traffic? I need to do the exact same thing and i can ONLY pass traffic if i use the untagged management ip on the lag itself...This has been possible with other vendors for over a decade...Come on Zyxel. Called and spent hours on the phone, got no call back/answers in a day, no one had an answer if this was possible...NEEDS TO BE! FIRMWARE UPDATE ASAP!
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,247  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    Zyxel firewall gateway support LAG interface with VLAN tag.
    Can you describe your topology in more detail?
    Thanks.


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

Security Highlight