Ethernet Switching
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Contributor
Posts: 38
Registered: ‎02-11-2012
0 Kudos
Accepted Solution

MC-LAG EX9200 To Active/Standby Firewall

Hi,

 

We are planning to buy a new core switch(ex9208) so we have a pair of Core Switch. Right now we have firewall active/standby connect to a core and there's no problem With the current topology(1 core switch), the core know/have the standby/active/vip mac so the core know where to forward the traffic.

In switch theres a feature mc-lag allow 1 device/switch/server connect to pair of core switch and have a active/active link.

My Plan is connect a pair of ex9200 using mc-lag to that active/standby firewall, it is possible to do active/standby with mc-lag to pair of core switch ? Can i just config lacp/bond in the firewall and mc-lag in the core ? is that pair of core know/have active/standby/vip mac ?

 

Thx.

Distinguished Expert
Posts: 4,770
Registered: ‎03-30-2009
0 Kudos

Re: MC-LAG EX9200 To Active/Standby Firewall

I believe this is the configuration example you would apply.

 

https://www.juniper.net/techpubs/en_US/release-independent/nce/topics/concept/mf-architecture-networ...

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 38
Registered: ‎02-11-2012
0 Kudos

Re: MC-LAG EX9200 To Active/Standby Firewall

Hi Steve,

 

Thanx for the reply, the firewall i use is not juniper, i read the doc u linked, is reth the term use in srx for lacp ? can i just use a standard  802.3ad/lacp in the firewall ? 

 

Thx

Recognized Expert
Posts: 388
Registered: ‎02-13-2011
0 Kudos

Re: MC-LAG EX9200 To Active/Standby Firewall

Short answer yes, but with MC-AE your attached device MUST be configured and run LACP, as this is required with Juniper MC-LAG implementation.

 

As for A/A and A/S, A/A config on Juniper MC-LAG means the 2 Core Nodes can run A/A, but can also operate with remote device being A/S if that is they way the device operates, like most FW's.  It is almost the same as A/A remote device, that has one link down/disabled.  The remote A/S FW makes the Core think one-side is down, so Core knows to only use the one Active link.  This type of config is very common, with A/P Server NICs being perfect example. In this situation the Core Nodes are still configured A/A, but only one side actually sees any traffic, the other side is thought to be down.  It will be the remote device which will determine which one link to be be active at any specific moment in time.  The Core knows both links can be Acive.

 

Contributor
Posts: 38
Registered: ‎02-11-2012
0 Kudos

Re: MC-LAG EX9200 To Active/Standby Firewall


rccpgm wrote:

Short answer yes, but with MC-AE your attached device MUST be configured and run LACP, as this is required with Juniper MC-LAG implementation.

 

As for A/A and A/S, A/A config on Juniper MC-LAG means the 2 Core Nodes can run A/A, but can also operate with remote device being A/S if that is they way the device operates, like most FW's.  It is almost the same as A/A remote device, that has one link down/disabled.  The remote A/S FW makes the Core think one-side is down, so Core knows to only use the one Active link.  This type of config is very common, with A/P Server NICs being perfect example. In this situation the Core Nodes are still configured A/A, but only one side actually sees any traffic, the other side is thought to be down.  It will be the remote device which will determine which one link to be be active at any specific moment in time.  The Core knows both links can be Acive.

 


Great, its clear the cloudy sky for me now...