Wireless Access

 View Only

  • 1.  Two Firewalls going to core switch

    Posted Jan 27, 2020 10:54 PM

    Hi.

    Is it possible to have two different firewalls going to a LACP trunk port?

     



  • 2.  RE: Two Firewalls going to core switch

    Posted Jan 28, 2020 12:21 AM

    What you are looking for is called multi chassis etherchannel. While it is commonly supported on switches (VFS for Aruba switches, VSS for Cisco Catalyst and VPC in Nexus), I don't think any firewall does support that.

     

    Short answer, it will depend on the firewall capability if it supports that.



  • 3.  RE: Two Firewalls going to core switch

    Posted Jan 28, 2020 01:59 AM
    Hi, your question is not clear...if your planned design is: two Firewalls, one link on each Firewall, one Port Trunk (with LACP) switch side, links coming from Firewalls land to the same Port Trunk...the answer is NO. No matter the Switch side is deployed as VSX, VSF, Standalone or DT.

    The point is Port Trunks are co-terminus (VSX helps here because, from the peer standpoint, supports and provides Multi-Chassis Links) and thus the uplinks egressing the Switch on the Port Trunk logical interface must terminate on a single physical switch or against a virtual switch.

    Maybe you are dealing with a "Virtual Firewall" made of two clustered physical members? if so...maybe.


  • 4.  RE: Two Firewalls going to core switch

    Posted Feb 29, 2020 01:04 PM

    hi,

     

    If your two firewall are in cluster or HA or primary and secondary then you can do LACP from VSF switch to two firewall in that one link to primary node/firewall and one will be secondary firewall you can terminate.

     

    and its something like Aruba distributed Trunk or MC-LAG(other vendor) 

     

    Best Regards,

    Suresh

     



Related Content