Just like the other person, I know this is an old post. I won't say we have great firewalls, but we have Watchguard firewalls that can do LACP that follows the ieee specifications. So, to set it up to work properly in our active/passive (or primary/backup) firewall cluster, we created a dynamic LAG (LACP) on our firewall using two ports. This means that both the active and passive firewall uses the same LAG/LACP identifier. However, on the switch that we connect the firewalls to, we created two aggregated ethernet interface for each firewall. This way the ports on the switch being connected to Firewall #2 don't even come into play until firewall #2 is active.
So, if using 1 switch or 2 switches in a Virtual Chassis:
Firewall #1 LAG 1 --> Switch ae 1
Firewall #2 LAG 1 --> Switch ae 2
if using two non-virtual chassis switches:
Firewall #1
Firewall #2 LAG 1 --> Switch 2 ae 2
Obviously, MC-LAG would need to be used if you want each the LAG to span both switches and you aren't using a Virtual Chassis. We are not able to do that with our Watchguards.
Hope this helps someone.
------------------------------
SEAN HASLING
------------------------------
Original Message:
Sent: 04-21-2017 01:38
From: Erdem
Subject: MC-LAG EX9200 To Active/Standby Firewall
Hi,
We are planning to buy a new core switch(ex9208) so we have a pair of Core Switch. Right now we have firewall active/standby connect to a core and there's no problem With the current topology(1 core switch), the core know/have the standby/active/vip mac so the core know where to forward the traffic.
In switch theres a feature mc-lag allow 1 device/switch/server connect to pair of core switch and have a active/active link.
My Plan is connect a pair of ex9200 using mc-lag to that active/standby firewall, it is possible to do active/standby with mc-lag to pair of core switch ? Can i just config lacp/bond in the firewall and mc-lag in the core ? is that pair of core know/have active/standby/vip mac ?
Thx.