Wired Intelligent Edge

last person joined: 11 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

8320's Multiple MLAG's to Active/Passive Firewalls

This thread has been viewed 130 times
  • 1.  8320's Multiple MLAG's to Active/Passive Firewalls

    Posted Oct 04, 2021 01:59 PM

    Hi All,

    I'm looking for some serious help configuring our new switches, I fear I'm either in over my head, or, it's not possible to do what I'm envisioning for this deployment.  I've read the AOS-CX Multi Chassis Link Aggregation Guide and I've seen the posts referring to Page 104 of the "VSX Configuration Best Practices for Aruba CX 6400, 8320, 8325, 8360, 8400", as well as the "VSX Stack to firewall" community post here, but I just can't seem to get it right.

    I will pose the questions first, so whilst you're reading you can determine just how far off base or crazy I am...

    1) Is implementing multiple MLAG's for different network segments between the Firewalls & Aruba 8320's possible?

    2) Is implementing multiple MLAG's for different network segments between the Firewalls & Aruba 8320's the recommended way to accomplish what we need?

    2a) If so, is there anyone out there that can help me from darn near the ground up get going in the right direction?

    2a) If not, what is the best way to accomplish this with 8320's, and, can someone help get these up and running?

     

    With all that said, on to the issue...

    Currently we have a pair of FortiGate 800C's and a pair of HPE Flex Fabric 5700's (JG898A) in place, which we are replacing with a pair of FortiGate 1801F's and a pair of Aruba 8320's.  I'm having an issue both conceptually and literally implementing the MLAG between the Active/Passive Firewalls & Switches.

    Currently we have the old school A Side / B Side failover where if one piece of gear in the "A" stack fails, pretty much everything just shifts over to the "B" stack.  I'd like to change that to what I "believe" is the better solution and use VSX (MLAG) between the 8320's & FW's.

    To be completely honest, I'm not sure of the best way to implement the new gear, so I may be way off base.  I am at the point, due to extreme frustration and a severe time constraint, where I am ready to bail and just mirror the current A/B topology, but I'm hoping someone here can help me so it doesn't come to that.

    Oversimplified, here is what I am trying to do:







    The ultimate config though needs to have multiple MLAG's for each "segment" of our network (Mgmt LAN, Private LAN, DMZ LAN, DMZ-DB LAN, and Public WAN).

     

    I haven't been able to confidently implement the first diagram, let alone the second.  I did have a configuration with 4 MLAG's (2 to each firewall – Mgmt LAN / Private LAN) setup, and was able to get traffic to traverse the switches and firewalls, and failover, but certain things just didn't "seem" right.  Traffic would traverse between two external devices, but the 8320's themselves couldn't ping anything, and neither could the firewalls.


    Two more little tidbits.  First, our current switches handle the routing for traffic between certain segments so the traffic does not need to flow through the firewall.  Second, there is a stack of 3810M's that needs to sit downstream of the 8320's and have all the different network segments available there as well.

    I know this was a tough read, and for anyone that has made it this far, I greatly appreciate your time!  As I mentioned before, I am under a severe time constraint, so if anyone out there can at least tell me with some certainty that Multiple MLAG's is the way to go or not, that would be a huge hue place to start.

     

    Thank you all very much for your time!!!



    ------------------------------
    Clint
    ------------------------------


  • 2.  RE: 8320's Multiple MLAG's to Active/Passive Firewalls

    Posted Oct 05, 2021 02:37 AM

    Hi Clint,

    If user traffic works, I guess the mc-lag should work as intended.
    I do not have a 8320, but several 8325 as VSX pairs.

    Using one mc-lag or multiple mc-lag is just a design decision. 
    We do have several Links but with upgrading our (checkpoint) firewall we will switch to a single mc-lag with 25G Interfaces to simplify the cabling.

    Do you have a routed connections between firewall and switch or do you just extend your VLANs to the firewall being the "central/core" of your network?
    Just to verify... Because you wrote: "First, our current switches handle the routing for traffic between certain segments so the traffic does not need to flow through the firewall."

    Perhaps you can share your VSX and MC-LAG configuration.

    If you are using routed Interfaces or transfer VLANs perhaps you have to add the the used IP-networks to your firewall security rules.
    Pinging from the Switch please check if you are using the right VRF and source interface.
    Even please check if ICMP is allowed on your firewall configuration (or firewall interface configuration), sometimes firewalls do not allow ping or other traffic to its interfaces, as they are not Management.

    Kind Regards

    Robert

    EDIT:

    Our firewall cluster connects to two different VSX Pairs. Firewall Room A to VSX Pair Room A and Firewall Room B to VSX Pair Room B.
    So it is a little different from your network diagram.

    I would share a network-diagram, but I couldn't. 'Cause the picture upload seems not to work.


    -----------------------------
    Robert Großmann
    ------------------------------



  • 3.  RE: 8320's Multiple MLAG's to Active/Passive Firewalls

    Posted Oct 05, 2021 04:05 AM
    Few points:
    - what you try to achieve (as far as I can understand without the configuration) is perfectly possible and done by other people.
    - for the routing aspect, if your FW does not support ECMP, you may use recommendation of VSX best practice (p104):
    https://support.hpe.com/hpsc/doc/public/display?docId=a00094242en_us
    - the choice between 4 links in one big MCLAG (Aruba name is VSX LAG) or 2 MCLAGs of 2 links each really depends on the MCLAG ability of the FW as well, if you target active/active. For active/standby, some FW vendors have also a capability for pre-negotiating LLDP and LACP on standby. In such a case, it might be recommended to have one VSX LAG per FW. Otherwise, having 1 single MCLAG with 4 links is fine: 2 links will appear with LACP-block, as the standby FW will not send LACPDU and will not negotiate. 
    - I recommend to turn-off ip icmp redirect on VSX priary and secondary (no ip icmp redirect)
    - what AOS-CX version  ?

    ------------------------------
    Vincent Giles
    ------------------------------



  • 4.  RE: 8320's Multiple MLAG's to Active/Passive Firewalls

    Posted Oct 05, 2021 06:30 AM
    Hi Vincent, as usual what you wrote must be read very carefully since it's always quite important and clarifier, so let me just to ask you a clarification since I have a doubt (my case is going to be Active/Standby scenario and I planned the two VSX LAGs approach before reading about the capabilities you cited above).

    When you wrote:

    "For active/standby, some FW vendors have also a capability for pre-negotiating LLDP and LACP on standby. In such a case, it might be recommended to have one VSX LAG per FW."

    I understand that the capabilities for pre-negotiating LLDP and LACP on the Standby you're referring to (in a Active/Standby Firewall scenario, I add) are not necessarily mandatory requirements permitting us to work with just one VSX LAG made of physical links coming from both Firewall nodes (those nodes should indeed support these capabilities and they also should act as a single logical virtualized device as per LAG forming requirements) so in their absence one can still try the single VSX LAG approach targeting both Firewall nodes.

    It's to understand that in presence of an Active/Standby Firewall scenario - pre-negotiating LLDP and LACP capabilities or not, in any case - that scenario will force us to work with separate VSX LAGs in any case (and each VSX LAG will receive physical links coming from a Firewall node, not from both nodes) in contrast with the alternative Active/Active Firewall scenario where instead a single VSX LAG could be used or not (and, if it used, that VSX LAG will receive physical links coming from both Firewall nodes in a concurrent fashion).

    "Otherwise, having 1 single MCLAG with 4 links is fine: 2 links will appear with LACP-block, as the standby FW will not send LACPDU and will not negotiate."

    Given this last sentence it seems that - in case of no capability for pre-negotiating LLDP and LACP on the Standby Firewall node - we can still try the single VSX LAG approach (as per Active/Active Firewall scenario) BUT we should expect that half of the physical member links of the VSX LAG will appear in LACP-Block state (the Standby Firewall node will indeed not send LACPDU).

    Am I correct or wrong? that's very interesting!

    ------------------------------
    Davide Poletto
    ------------------------------



  • 5.  RE: 8320's Multiple MLAG's to Active/Passive Firewalls

    Posted Oct 05, 2021 11:38 AM
    Robert - I went with the multiple MC-LAG's primarily to keep things as close as possible to the current config, for the most part meaning keep it "simple" and our firewall rules are based on ports, not VLANs.  I have a very limited maintenance window this weekend to get everything installed, and I didn't want to worry about having to re-configuring everything else to fit a new topology.  Because we are splitting everything into separate MC-LAGs, the firewall has no idea about any of the VLANs, all our rules are port based/physically separate.

    I am finding that may be a poor way to go for the long run, we seem to be at the point where we have crossed over and trying to keep everything physically separated (port based rules) is actually becoming more complex than using less, but larger MC-LAGs with VLANs. Unfortunately, converting to that methodology would have to be a separate project, I do not have that large of a window this weekend.


    Vincent – Our firewalls do support ECMP for Static Routing, OSPF, & BGP, but I fear that is getting a bit outside my comfort zone, once you get away from basic static routing, I have almost zero experience.  I have looked at page 104 of the VSX best practice, in fact that's what drove me to where I am today with the configs.

    I am extremely intrigued by your statement:
    "having 1 single MCLAG with 4 links is fine: 2 links will appear with LACP-block, as the standby FW will not send LACPDU and will not negotiate"

    That was my original config, and traffic was traversing the links as expected, including when I failed over the firewalls, and I thought I was good to go at that point.  But, Aruba TAC stated that would not work as expected and might not failover as expected at times, my guess is due to the LACP-Block State those ports would be in.  So the question becomes, what are the pros & cons of each?  Obviously 4 cables in a single MC-LAG together greatly simplifies the config, but 2 separate "2 cable" MC-LAGs appears to be the more supported config.

    I'm curious, why the "no ip icmp redirect"?  I've had it both ways and I can't quit determine the differences.  I know I need to wrap my head around the active forwarding & active gateways better, and is it even necessary for what I'm trying to do?

    I will post the configs as they are today in a few minutes.  I'm sure there's plenty wrong with them, so my apologies in advance if they are way off base.

    Thank you all for your help so far, you have all been most gracious with your time and it is greatly appreciated!!!

    ------------------------------
    Clint
    ------------------------------



  • 6.  RE: 8320's Multiple MLAG's to Active/Passive Firewalls

    Posted Oct 05, 2021 11:54 AM
    I forgot to answer one of the questions asked, the version is ArubaOS-CX TL.10.08.0001

    Here are the configs as of today and most things so far are acting as expected. There are a few routing issues, I need to look at loop protection and other house cleaning items, but I feel much better today about this than I did yesterday, that's for sure!

    Side Note - I'm guessing I don't need all the MC-LAGs in both the Primary & Secondary configs, only the ones specific to each switch, it was more of a cut paste thing than anything else.

    ------------------------------------------------------------------------------------------
    8320 - Primary
    ------------------------------------------------------------------------------------------
    !
    !Version ArubaOS-CX TL.10.08.0001
    !export-password: default
    hostname Swt-8320-01
    profile L3-core
    vrf KeepAlive
    vrf VRF100
    vrf VRF101
    vrf VRF202
    vrf VRF212
    vrf VRF217
    vrf VRF250
    ntp server pool.ntp.org minpoll 4 maxpoll 4 iburst
    ntp enable
    ntp vrf mgmt
    cli-session
        timeout 0
    !
    !
    !
    !
    !
    aruba-central
        disable
    ssh server vrf default
    ssh server vrf mgmt
    vlan 1
    vlan 100
        name Mgmt VLAN
        vsx-sync
        description Mgmt VLAN - VLAN 100
    vlan 101
        name Private VLAN
        vsx-sync
        description Private VLAN - VLAN 101
    vlan 202
        name DMZ VLAN
        vsx-sync
        description DMZ VLAN - VLAN 202
    vlan 212
        name DMZ-LB VLAN
        vsx-sync
        description DMZ-LB VLAN - VLAN 212
    vlan 217
        name Corp217 VLAN
        vsx-sync
        description Corp 217 VLAN - VLAN 217
    vlan 250
        name Public VLAN
        vsx-sync
        description Public VLAN - VLAN 250
    interface mgmt
        no shutdown
        ip static 10.10.0.2/24
        default-gateway 10.10.0.254
        nameserver 10.1.1.20 10.1.1.21
    interface lag 99 multi-chassis
        no shutdown
        description Mgmt/MLAG 99 - Swt-8320-02 <-> FW-02
        no routing
        vlan trunk native 100
        vlan trunk allowed 100
        lacp mode active
        lacp rate fast
    interface lag 100 multi-chassis
        no shutdown
        description Mgmt/MLAG 100 - Swt-8320-01 <-> FW-01
        no routing
        vlan trunk native 100
        vlan trunk allowed 100
        lacp mode active
        lacp rate fast
    interface lag 101 multi-chassis
        no shutdown
        description Private/MLAG 101 - Swt-8320-01 <-> FW-01
        no routing
        vlan trunk native 101
        vlan trunk allowed 101
        lacp mode active
        lacp rate fast
    interface lag 102 multi-chassis
        no shutdown
        description Private/MLAG 102 - Swt-8320-02 <-> FW-02
        no routing
        vlan trunk native 101
        vlan trunk allowed 101
        lacp mode active
        lacp rate fast
    interface lag 143 multi-chassis
        no shutdown
        description Switch Trunk/MLAG 143 - Swt-8320-02 <-> 3810M
        no routing
        vlan trunk native 1
        vlan trunk allowed all
        lacp mode active
        lacp rate fast
    interface lag 144 multi-chassis
        no shutdown
        description Switch Trunk/MLAG 144 - Swt-8320-01 <-> 3810M
        no routing
        vlan trunk native 1
        vlan trunk allowed all
        lacp mode active
        lacp rate fast
    interface lag 202 multi-chassis
        no shutdown
        description DMZ/MLAG 202 - Swt-8320-01 <-> FW-01
        no routing
        vlan trunk native 202
        vlan trunk allowed 202
        lacp mode active
        lacp rate fast
    interface lag 203 multi-chassis
        no shutdown
        description DMZ/MLAG 203 - Swt-8320-02 <-> FW-02
        no routing
        vlan trunk native 202
        vlan trunk allowed 202
        lacp mode active
        lacp rate fast
    interface lag 212 multi-chassis
        no shutdown
        description DMZ-LB/MLAG 212 - Swt-8320-01 <-> FW-01
        no routing
        vlan trunk native 212
        vlan trunk allowed 212
        lacp mode active
        lacp rate fast
    interface lag 213 multi-chassis
        no shutdown
        description DMZ-LB/MLAG 213 - Swt-8320-02 <-> FW-02
        no routing
        vlan trunk native 212
        vlan trunk allowed 212
        lacp mode active
        lacp rate fast
    interface lag 217 multi-chassis
        no shutdown
        description Corp217/MLAG 217 - Swt-8320-01 <-> FW-01
        no routing
        vlan trunk native 217
        vlan trunk allowed 217
        lacp mode active
        lacp rate fast
    interface lag 218 multi-chassis
        no shutdown
        description Corp217/MLAG 217 - Swt-8320-02 <-> FW-02
        no routing
        vlan trunk native 217
        vlan trunk allowed 217
        lacp mode active
        lacp rate fast
    interface lag 250 multi-chassis
        no shutdown
        description Public/MLAG 250 - Swt-8320-01 <-> FW-01
        no routing
        vlan trunk native 250
        vlan trunk allowed 250
        lacp mode active
        lacp rate fast
    interface lag 251 multi-chassis
        no shutdown
        description Public/MLAG 251 - Swt-8320-02 <-> FW-02
        no routing
        vlan trunk native 250
        vlan trunk allowed 250
        lacp mode active
        lacp rate fast
    interface lag 256
        no shutdown
        description VSX-ISL-LAG/MLAG 256 - Swt-8320-01 <-> Swt-8320-02
        no routing
        vlan trunk native 1
        vlan trunk allowed all
        lacp mode active
        lacp rate fast
    interface 1/1/26
        no shutdown
        description *** VLAN 100 Test Port ***
        no routing
        vlan access 100
    interface 1/1/35
        no shutdown
        description Public/MLAG 250 - Swt-8320-01 <-> FW-01
        lag 250
    interface 1/1/36
        no shutdown
        description Public/MLAG 250 - Swt-8320-01 <-> FW-02
        lag 250
    interface 1/1/37
        no shutdown
        description DMZ/MLAG 202 - Swt-8320-01 <-> FW-01
        lag 202
    interface 1/1/38
        no shutdown
        description DMZ/MLAG 202 - Swt-8320-01 <-> FW-02
        lag 202
    interface 1/1/39
        no shutdown
        description DMZ-LB/MLAG 212 - Swt-8320-01 <-> FW-01
        lag 212
    interface 1/1/40
        no shutdown
        description DMZ-LB/MLAG 212 - Swt-8320-01 <-> FW-02
        lag 212
    interface 1/1/41
        no shutdown
        description Corp217/MLAG 217 - Swt-8320-01 <-> FW-01
        lag 217
    interface 1/1/42
        no shutdown
        description Corp217/MLAG 217 - Swt-8320-01 <-> FW-02
        lag 217
    interface 1/1/43
        no shutdown
        description Mgmt/MLAG 100 - Swt-8320-01 <-> FW-01
        lag 100
    interface 1/1/44
        no shutdown
        description Mgmt/MLAG 100 - Swt-8320-01 <-> FW-02
        lag 100
    interface 1/1/45
        no shutdown
        description Switch Trunk/MLAG 143 - Swt-8320-01 <-> 3810M
        lag 143
    interface 1/1/46
        no shutdown
        description Switch Trunk/MLAG 143 - Swt-8320-01 <-> 3810M
        lag 143
    interface 1/1/48
        no shutdown
        vrf attach KeepAlive
        description VSX-ISL-KeepAlive-Link
        ip address 192.168.168.1/24
    interface 1/1/51
        no shutdown
        description VSX-ISL-LAG/MLAG 256 - Swt-8320-01 <-> Swt-8320-02
        lag 256
    interface 1/1/52
        no shutdown
        description Private/MLAG 101 - Swt-8320-01 <-> FW-01
        lag 101
    interface 1/1/53
        no shutdown
        description Private/MLAG 101 - Swt-8320-01 <-> FW-02
        lag 101
    interface 1/1/54
        no shutdown
        description VSX-ISL-LAG/MLAG 256 - Swt-8320-01 <-> Swt-8320-02
        lag 256
    interface vlan 100
        vsx-sync active-gateways
        vrf attach VRF100
        description Mgmt VLAN - VLAN 100
        ip address 10.10.0.1/24
        active-gateway ip mac 02:01:00:00:01:01
        active-gateway ip 10.10.0.254
    interface vlan 101
        vsx-sync active-gateways
        vrf attach VRF101
        description Private VLAN - VLAN 101
        ip address 10.10.1.1/24
        active-gateway ip mac 02:01:00:00:01:02
        active-gateway ip 10.10.1.254
    interface vlan 202
        vsx-sync active-gateways
        vrf attach VRF202
        description DMZ VLAN - VLAN 202
        ip address 10.20.20.1/24
        active-gateway ip mac 02:01:00:00:01:03
        active-gateway ip 10.20.20.254
    interface vlan 212
        vsx-sync active-gateways
        vrf attach VRF212
        description DMZ-LB VLAN - VLAN 212
        ip address 10.21.21.254/24
        active-gateway ip mac 02:01:00:00:01:04
        active-gateway ip 10.21.21.1
    interface vlan 217
        vsx-sync active-gateways
        vrf attach VRF217
        description Corp 217 VLAN - VLAN 217
        ip address 10.10.217.1/24
        active-gateway ip mac 02:01:00:00:01:05
        active-gateway ip 10.10.217.254
    interface vlan 250
        vsx-sync active-gateways
        vrf attach VRF250
        description Public VLAN - VLAN 250
        ip address 10.20.20.1/24
        active-gateway ip mac 02:01:00:00:01:06
        active-gateway ip 10.20.20.254
    vsx
        system-mac 02:01:00:00:01:00
        inter-switch-link lag 256
        role primary
        keepalive peer 192.168.168.2 source 192.168.168.1 vrf KeepAlive
        linkup-delay-timer 30
        vsx-sync copp-policy dhcp-relay dns icmp-tcp