Switching

last person joined: yesterday 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

  • 1.  MC-LAG EX9200 To Active/Standby Firewall

    Posted 04-21-2017 01:38

    Hi,

     

    We are planning to buy a new core switch(ex9208) so we have a pair of Core Switch. Right now we have firewall active/standby connect to a core and there's no problem With the current topology(1 core switch), the core know/have the standby/active/vip mac so the core know where to forward the traffic.

    In switch theres a feature mc-lag allow 1 device/switch/server connect to pair of core switch and have a active/active link.

    My Plan is connect a pair of ex9200 using mc-lag to that active/standby firewall, it is possible to do active/standby with mc-lag to pair of core switch ? Can i just config lacp/bond in the firewall and mc-lag in the core ? is that pair of core know/have active/standby/vip mac ?

     

    Thx.



  • 2.  RE: MC-LAG EX9200 To Active/Standby Firewall

    Posted 04-22-2017 08:43

    I believe this is the configuration example you would apply.

     

    https://www.juniper.net/techpubs/en_US/release-independent/nce/topics/concept/mf-architecture-network-configuration.html



  • 3.  RE: MC-LAG EX9200 To Active/Standby Firewall

    Posted 04-22-2017 22:02

    Hi Steve,

     

    Thanx for the reply, the firewall i use is not juniper, i read the doc u linked, is reth the term use in srx for lacp ? can i just use a standard  802.3ad/lacp in the firewall ? 

     

    Thx



  • 4.  RE: MC-LAG EX9200 To Active/Standby Firewall
    Best Answer

     
    Posted 04-23-2017 08:02

    Short answer yes, but with MC-AE your attached device MUST be configured and run LACP, as this is required with Juniper MC-LAG implementation.

     

    As for A/A and A/S, A/A config on Juniper MC-LAG means the 2 Core Nodes can run A/A, but can also operate with remote device being A/S if that is they way the device operates, like most FW's.  It is almost the same as A/A remote device, that has one link down/disabled.  The remote A/S FW makes the Core think one-side is down, so Core knows to only use the one Active link.  This type of config is very common, with A/P Server NICs being perfect example. In this situation the Core Nodes are still configured A/A, but only one side actually sees any traffic, the other side is thought to be down.  It will be the remote device which will determine which one link to be be active at any specific moment in time.  The Core knows both links can be Acive.

     



  • 5.  RE: MC-LAG EX9200 To Active/Standby Firewall

    Posted 04-23-2017 09:52
    @rccpgm wrote:

    Short answer yes, but with MC-AE your attached device MUST be configured and run LACP, as this is required with Juniper MC-LAG implementation.

     

    As for A/A and A/S, A/A config on Juniper MC-LAG means the 2 Core Nodes can run A/A, but can also operate with remote device being A/S if that is they way the device operates, like most FW's.  It is almost the same as A/A remote device, that has one link down/disabled.  The remote A/S FW makes the Core think one-side is down, so Core knows to only use the one Active link.  This type of config is very common, with A/P Server NICs being perfect example. In this situation the Core Nodes are still configured A/A, but only one side actually sees any traffic, the other side is thought to be down.  It will be the remote device which will determine which one link to be be active at any specific moment in time.  The Core knows both links can be Acive.

     

    Great, its clear the cloudy sky for me now...



  • 6.  RE: MC-LAG EX9200 To Active/Standby Firewall

    Posted 12-12-2018 14:38
    Hi,

    I know this is an old post, but I am facing with the same issue now. What firewall you use?

    I want to connect my mc-lag (with vrrp) core switch to active-standby firewall (fortinet). My mc-lag is active-active. Initially mc-lag was ok, one side is active and one side is down, ping is ok. When I test to disable the active interface at core switch 1, lag interface at another core switch become active, but can't communicate to firewall (ping). And then I enable back the interface of core switch 1, the lag interface still down meanwhile the member lag port is up.
    any idea for my case?

    Thanks


  • 7.  RE: MC-LAG EX9200 To Active/Standby Firewall

    Posted 01-05-2024 08:42

    Eredml,

    Did you ever resolve this problem.  I'm having the same problem with MC-AE and a Fortinet in active standby.  When the Fortinet fails over, LACP does not.



    ------------------------------
    MIGUEL ZUNIGA
    ------------------------------

    Original Message


  • 8.  RE: MC-LAG EX9200 To Active/Standby Firewall

    Posted 01-11-2024 16:47

    Just like the other person, I know this is an old post. I won't say we have great firewalls, but we have Watchguard firewalls that can do LACP that follows the ieee specifications. So, to set it up to work properly in our active/passive (or primary/backup) firewall cluster, we created a dynamic LAG (LACP) on our firewall using two ports. This means that both the active and passive firewall uses the same LAG/LACP identifier. However, on the switch that we connect the firewalls to, we created two aggregated ethernet interface for each firewall. This way the ports on the switch being connected to Firewall #2 don't even come into play until firewall #2 is active. 

    So, if using 1 switch or 2 switches in a Virtual Chassis:

    Firewall #1 LAG 1 --> Switch ae 1

    Firewall #2 LAG 1 --> Switch ae 2 

    if using two non-virtual chassis switches:

    Firewall #1

    Firewall #2 LAG 1 --> Switch 2 ae 2

    Obviously, MC-LAG would need to be used if you want each the LAG to span both switches and you aren't using a Virtual Chassis. We are not able to do that with our Watchguards. 

    Hope this helps someone.



    ------------------------------
    SEAN HASLING
    ------------------------------

    Original Message