Wired Intelligent Edge

 View Only
last person joined: 20 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

LAG Group Status Block

This thread has been viewed 17 times

  • 1.  LAG Group Status Block

    Posted Jan 19, 2021 10:29 AM
    Hello,

    I have a problem, my LAG Group is showing status blocked.
    I'm using HPE Aruba 8320 OS-CX 10.06.0001
    I have two 8320 Switch configure VSX-Link
    I Configure LAG10 & LAG9 in both switches and using port 5&6, this LAG is configured LACP trunk all and connect to FW1 & FW2.
    Each FW  have 4 ports going to the switches:
    Switch1: LAG10 connect to FW1
    Switch2: LAG10 connect to FW2
    Switch1: LAG9 connect to FW2
    Switch2: LAG9 connect to FW1

    Should I use LAG or LAG MC?
    Thanks

    ------------------------------
    Kum Weng Chan
    ------------------------------


  • 2.  RE: LAG Group Status Block

    MVP GURU
    Posted Jan 19, 2021 11:30 AM
    Hi, could you show us a diagram of connections?

    Generally - dealing with a VSX - some VSX LAGs are defined (example) spanning both chassis:

    • On VSX Primary create a VSX LAG lag1 made of 1/1/5
    • On VSX Primary create a VSX LAG lag2 made of 1/1/6
    • On VSX Secondary create a VSX LAG lag1 made of 1/1/5
    • On VSX Secondary create a VSX LAG lag2 made of 1/1/6
    The above configuration is like having a Multi-Chassis LAG spanning between VSX nodes:

    • VSX LAG lag1 made of 1/1/5 on VSX Primary and 1/1/5 on VSX Secondary
    • VSX LAG lag2 made of 1/1/6 on VSX Primary and 1/1/6 on VSX Secondary
    The important thing to note is that each VSX LAG (as also happen normally on standard LAGs) should terminate on a single switching entity (like a single standalone Switch, a Virtual Switch - IRF, VSF, VSX, Cisco VSS, etc - or a single Host).

    In other terms, normally:

    • VSX LAG lag1 (1/1/5+1/1/5) would terminate into FW1 or FW2 (not into both concurrently)
    • VSX LAG lag2 (1/1/6+1/1/6) would terminate into FW2 or FW1 (not into both concurrently)

    The only exception is when the pair (FW1 and FW2) can be seen as (and act like) a single logical entity (and generally a Cluster of two Active/Active or Active/Passive Firewalls simply don't act as a "single logical entity").
     
    I doubt (but I could be wrong about that) your two Firewalls act like one logical switching entity (they should be separated and acting as they are two separate switches/routers)...this means that a VSX LAG can only terminate on ONE Firewall at time (say lag1 into FW1 or FW2 not on both)...it is not different of what happens when a LAG terminates on a standalone (or Virtual) Switch...it can't terminate on two separate switches if they act as standalone ones.

    ------------------------------
    Davide Poletto
    ------------------------------

    Original Message