Ethernet Switching
Highlighted
Ethernet Switching

MC-LAG EX9200 To Active/Standby Firewall

‎04-21-2017 01:38 AM

Hi,

 

We are planning to buy a new core switch(ex9208) so we have a pair of Core Switch. Right now we have firewall active/standby connect to a core and there's no problem With the current topology(1 core switch), the core know/have the standby/active/vip mac so the core know where to forward the traffic.

In switch theres a feature mc-lag allow 1 device/switch/server connect to pair of core switch and have a active/active link.

My Plan is connect a pair of ex9200 using mc-lag to that active/standby firewall, it is possible to do active/standby with mc-lag to pair of core switch ? Can i just config lacp/bond in the firewall and mc-lag in the core ? is that pair of core know/have active/standby/vip mac ?

 

Thx.

5 REPLIES 5
Highlighted
Ethernet Switching

Re: MC-LAG EX9200 To Active/Standby Firewall

‎04-22-2017 08:43 AM

I believe this is the configuration example you would apply.

 

https://www.juniper.net/techpubs/en_US/release-independent/nce/topics/concept/mf-architecture-networ...

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Ethernet Switching

Re: MC-LAG EX9200 To Active/Standby Firewall

‎04-22-2017 10:02 PM

Hi Steve,

 

Thanx for the reply, the firewall i use is not juniper, i read the doc u linked, is reth the term use in srx for lacp ? can i just use a standard  802.3ad/lacp in the firewall ? 

 

Thx

Highlighted
Ethernet Switching
Solution
Accepted by topic author Ibrahim Lubis
‎04-23-2017 09:50 AM

Re: MC-LAG EX9200 To Active/Standby Firewall

‎04-23-2017 08:01 AM

Short answer yes, but with MC-AE your attached device MUST be configured and run LACP, as this is required with Juniper MC-LAG implementation.

 

As for A/A and A/S, A/A config on Juniper MC-LAG means the 2 Core Nodes can run A/A, but can also operate with remote device being A/S if that is they way the device operates, like most FW's.  It is almost the same as A/A remote device, that has one link down/disabled.  The remote A/S FW makes the Core think one-side is down, so Core knows to only use the one Active link.  This type of config is very common, with A/P Server NICs being perfect example. In this situation the Core Nodes are still configured A/A, but only one side actually sees any traffic, the other side is thought to be down.  It will be the remote device which will determine which one link to be be active at any specific moment in time.  The Core knows both links can be Acive.

 

Highlighted
Ethernet Switching

Re: MC-LAG EX9200 To Active/Standby Firewall

‎04-23-2017 09:52 AM

@rccpgm wrote:

Short answer yes, but with MC-AE your attached device MUST be configured and run LACP, as this is required with Juniper MC-LAG implementation.

 

As for A/A and A/S, A/A config on Juniper MC-LAG means the 2 Core Nodes can run A/A, but can also operate with remote device being A/S if that is they way the device operates, like most FW's.  It is almost the same as A/A remote device, that has one link down/disabled.  The remote A/S FW makes the Core think one-side is down, so Core knows to only use the one Active link.  This type of config is very common, with A/P Server NICs being perfect example. In this situation the Core Nodes are still configured A/A, but only one side actually sees any traffic, the other side is thought to be down.  It will be the remote device which will determine which one link to be be active at any specific moment in time.  The Core knows both links can be Acive.

 


Great, its clear the cloudy sky for me now...

Highlighted
Ethernet Switching

Re: MC-LAG EX9200 To Active/Standby Firewall

‎12-12-2018 02:38 PM
Hi,

I know this is an old post, but I am facing with the same issue now. What firewall you use?

I want to connect my mc-lag (with vrrp) core switch to active-standby firewall (fortinet). My mc-lag is active-active. Initially mc-lag was ok, one side is active and one side is down, ping is ok. When I test to disable the active interface at core switch 1, lag interface at another core switch become active, but can't communicate to firewall (ping). And then I enable back the interface of core switch 1, the lag interface still down meanwhile the member lag port is up.
any idea for my case?

Thanks
Feedback