A link aggregation group (LAG) is used for extending the bandwidth from a single link to multiple links and provide redundancy in case of link failure. Extending the implementation of the LAG to more than a single device provides yet another level of redundancy that extends from the link level to the node level. This extrapolation of the LAG from single to multiple switches is referred to as multi-chassis link aggregation (MLAG). MLAG is supported on Ethernet blades’ internal as well as external ports.
Each switch configuration is independent and it is user responsibility to make sure to configure both switches similarly pertaining MLAG (e.g. MLAG port-channel VLAN membership, static MAC, ACL, etc).
A peered device (host or switch) connecting to switches running an MLAG runs a standard LAG and is unaware of the fact that the LAG connects to two separate switches.
The MLAG switches share an inter-peer link (IPL) between them for carrying control messages in a steady state or data packages in failure scenarios. Thus, the bandwidth of the IPL should be defined accordingly. The IPL itself can be a LAG and may be constructed of links of any supported speed. In such a case, PFC must be configured on this IPL. The figure in section ”Configuring MLAG” illustrates this. The IPL serves the following purposes:
- MLAG protocol control – keepalive messages, MAC sync, MLAG port sync, etc.
- MLAG port failure – serves redundancy in case of a fallen link on one of the MLAG switches
- Layer-3 failure – serves redundancy in case of a failed connection between the MLAG switches and the rest of the L3 network should there be one
The IPL VLAN interface must be used only for MLAG protocol and must not be used by any other interfaces (e.g. LAG, Ethernet).
Ports 21 and 22 are dedicated IPL ports for MLAG protocol on the SH2200 switch system.
The MLAG protocol is made up of the following components to be expanded later:
- Unicast and multicast sync
- MLAG port sync
When positioned at the top of rack (ToR) and connecting with a Layer-3 uplink, the MLAG pair acts as the L3 border for the hosts connected to it. To allow default gateway redundancy, both MLAG switches should be addressed by the host via the same default gateway address.
MLAG uses an IP address (VIP) that points to all MLAG member nodes.
When running MLAG as L2/L3 border point, an MAGP VIP must be deployed as the default GW for MLAG port-channels (MPOs).
When MLAG is connected through a Layer-2 based uplink, there is no need to apply default gateway redundancy towards hosts since this function is implemented on the L2/L3 border points of the network. For more information, refer to the “MAGP” page.
The two peer switches need to carry the exact same configuration of the MLAG attributes for guaranteeing proper functionality of the MLAG.
Ensuring that both switches are configured identically is the responsibility of the user and is not monitored by the OS.
MLAG is currently supported for 2 switches only.
The VIP address must be on the same management IP subnet.
All nodes in an MLAG must be of the same CPU type (e.g. x86), switch type, and must all have the same OS version installed.
When working with MLAG, the maximum number of MAC addresses is limited to 88K. Without it, there is no limitation.
When transitioning from standalone into a group or vice versa, a few seconds are required for the node state to stabilize. During that time, group feature commands (e.g. MLAG commands) should not be executed. To run group features, wait for the CLI prompt to turn into [standalone:master], [<group>:master] or [<group>:standby] instead of [standalone:*unknown*] or [<group>:*unknown*].
Each MLAG VIP group must be configured with a different unicast IP address. If not, MLAG behavior is inconsistent.
In a scenario where there is no IP communication between the MGMT ports of the MLAG switches (for example when one MGMT port is disconnected), the following CLI prompt is displayed: <hostname>[<mlag cluster name>:unknown]#. This does not reflect the MLAG state, but only the state of the cluster.
It is recommended to configure IPL interface VLAN MTU to 9K.
MLAG Keepalive and Failover
Master election in MLAG is based on the IPs of the nodes taking part of the MLAG. The master elected is that which has the highest IPL VLAN interface local IP address.
MLAG master/slave roles take effect in fault scenarios such as split-brain, peer faults, and during software upgrades.
The MLAG pair of switches periodically exchanges a keepalive message on a user configurable interval. If the keepalive message fails to arrive for three consecutive intervals the switches break into two standalone switches. In such a case, the remaining active switch begins to act as a standalone switch and assumes that its previously peering MLAG switch has failed.
To avoid a scenario where failure on the IPL causes both MLAG peers to assume that their peer has failed, a safety mechanism is maintained based on UDP packets running via the management plane which alerts both MLAG switches that its peer is alive. In such case where keepalive packets are not received the slave shuts down its MLAG interfaces and the master becomes a standalone switch in order to avoid misalignment in MLAG configuration.
Unicast and Multicast Sync
Unicast and multicast sync is a mechanism which syncs the unicast and multicast FDBs of the MLAG peers. It prevents unicast asymmetric traffic from loading the network with flood traffic and multicast traffic from being processed.
MLAG Port Sync
Under normal circumstances, traffic from the IPL cannot pass through the MLAG ports (the IPL is isolated from the MLAG ports). If one of the MLAG links break, the other MLAG switch opens that isolation and allows traffic from its peer through the IPL to flow via the MLAG port which accesses the destination of the fallen link.
MLAG Virtual System-MAC
A pair of MLAG switches uses a single virtual system MAC for L2 protocols (such as LACP) operating on the MLAG ports. This virtual system MAC is served also as the STP bridge ID.
The virtual system MAC is automatically computed based on the MLAG VIP name, but can be manually set using the command “system-mac”.
MLAG relies on systems to have the same virtual system MAC. Therefore, if a system MAC mismatch is detected, the slave shuts down its interfaces.
Upgrading MLAG Pair
Switches in the same MLAG group must have the same OS version.
When peers identify having different versions, they enter an upgrading state in which the slave peer waits for a specific period of time (according to the command “upgrade-timeout”) before closing its ports.
It is advised to plan MLAG upgrade in advance and perform it in a timely manner. Please avoid performing topology changes during the upgrade period.
For more information on MLAG upgrade, please see “Upgrading HA Groups”.
When two tiers of MLAG pairs are used, each pair should be upgraded sequentially and not in parallel to prevent traffic loops.
Interoperability with MLAG
MLAG Interoperability with L2 Protocols
MLAG inter-operates with all STP modes (RSTP, MSTP and PVRST). MLAG can be configured in a spanning tree network where the two MLAG switches function as one STP entity.
In general all static configuration must be configured identically on both peers.
|Static MAC addresses||Static MAC address are not synced between MLAG peers|
MPO supports all LACP modes (passive/active), but it is not a must. If used, their configuration must be identical on each peer.
Note: if LACP system-priority is configured on one switch, and not both, it will cause MLAG port-channels to be suspended on one switch.
VLAN membership of an MPO must be configured identically on both peers. This includes PVID, switchport mode, and tagged/untagged VLAN. VLAN static configuration such as snooping MRouter must be configured identically on both peers as well.
MPO spanning-tree configuration must be identical in both switches, and other local ports’ spanning-tree configuration must be done when those ports are down.
IGMP snooping must be activated globally on both peers. IGMP snooping attributes on the MPO must have identical configuration.
All attributes of a the MPO must be configured identically on both peers.
Not supported with MLAG
Not supported over MLAG IPL
Not supported over MLAG IPL (not supported over LAG in general)
MLAG Interoperability with L3 Protocols
Mellanox Onyx cannot route between the two MLAG switches. That is, the source and the client cannot be connected to MPOs at the same time (only one at a time).
For cases when we need to redirect the traffic, another physical link is needed which is not part of the IPL (preferably a router port) to connect the two switches.
Dynamic routing protocols (e.g. OSPF, BGP) are not supported over MPOs. If they are necessary, router ports must be used instead of MPOs.
This section provides a basic example of how to configure two switches and a server in an MLAG setup.
Configuring L2 MLAG
Enable IP routing. Run:
(Recommended) Enable LACP in the switch. Run:
Enable QoS on the switch to avoid congestion on the IPL port. Run:
Enable the MLAG protocol commands. Run:
Configuring the IPL:
Create a VLAN for the inter-peer link (IPL) to run on. Run:
Create a LAG. Run:
Map a physical port to the LAG in active mode (LACP). Run:
Set this LAG as an IPL. Run:
Enable QoS on this specific interface. Run:
Create a VLAN interface. Run:
Configure MTU to 9K. Run:
Set an IP address and netmask for the VLAN interface.
Configure IP address for the IPL link on both switches:
The IPL IP address should not be part of the management network, it could be any IP address and subnet that is not in use in the network. This address is not advertised outside the switch.
On SwitchA, run:
On SwitchB, run:
Map the VLAN interface to be used on the IPL and set the peer IP address (the IP address of the IPL port on the second switch) of the IPL peer port. IPL peer ports must be configured on the same netmask.
On SwitchA, run:
On SwitchB, run:
(Optional) Configure a virtual IP (VIP) for the MLAG. MLAG VIP is important for retrieving peer information.
If you have a mgmt0 interface, the IP address should be within the subnet of the management interface. Do not use mgmt1. The management network is used for keepalive messages between the switches. The MLAG domain must be unique name for each MLAG domain. In case you have more than one pair of MLAG switches on the same network, each domain (consist of two switches) should be configured with different name.
On SwitchA, run:
On SwitchB, run:
(Optional) Configure a virtual system MAC for the MLAG. Run:
Creating an MLAG interface:
Create an MLAG interface for the host. Run:
Bind an Ethernet port to the MLAG group. Run:
Create and enable the MLAG interface. Run:
Enable MLAG. Run:
When running MLAG as L2/L3 border point, MAGP VIP must be deployed as the default GW for MPOs. For more information, refer to “MAGP”.
Verifying MLAG Configuration
Examine MLAG configuration and status. Run:
Examine the MLAG summary table. Run:
Examine the MLAG statistics. Run:
Enabling L3 Forwarding with User VRF
If you want to use a VRF for IP routing and forwarding on an MLAG topology, it is recommended to configure an additional VLAN interface with the same user VRF context as the non-MLAG L3 interface that has to route through the same physical ports as the IPL. This would allow forwarding L3 traffic through this VLAN interface on the same ports as the IPL.
Additional Reading and Use Cases
For more information about this feature and its potential applications, please refer to the following Mellanox Community posts:
- How To Configure MLAG on Mellanox Switches