@NetworkWise wrote: Is it possible to have both switches active in this stack?
Hi! hope to have not misunderstood your request: generally (at least this was my personal experience) a Cluster of Firewalls working in Active/Active mode permits to connect redundantly to downstream devices (in this case your downstream device is the Hardware Stack made of your two Aruba 3810M Switches, stack that is a virtual switch seen from any other peer, Firewalls' Cluster included) BUT these redundant connections - and here I speak necessarily about LACP/Static port trunkings (AKA links aggregations) - can originate each one from each Cluster node and they can terminate distributed across the stack's members switches.
In other words:
FW Cluster node 1 - 1st physical link from Port a1 (part of a defined LACP n) -> terminates on corresponding LACP z1 defined on the Switch Stack (the 1st link can terminate where you want, clearly on the port member of that particular z1 LACP port trunk, say port 1/1 as example)
FW Cluster node 1 - 2nd physical link from Port b1 (part of a defined LACP n) -> terminates on corresponding LACP z1 defined on the Switch Stack (the 2nd link can terminate where you want, clearly on the port member of that particular z1 LACP port trunk, say port 2/1 as example)
FW Cluster node 2 - 1st physical link from Port a2 (part of a defined LACP m) -> terminates on corresponding LACP z2 defined on the Switch Stack (the 1st link can terminate where you want, clearly on the port member of that particular z2 LACP port trunk, say port 1/11 as example)
FW Cluster node 2 - 2nd physical link from Port b2 (part of a defined LACP m) -> terminates on corresponding LACP z2 defined on the Switch Stack (the 2nd link can terminate where you want, clearly on the port member of that particular z2 LACP port trunk, say port 2/11 as example)
AFAIK you can't create on Firewalls a LACP link aggregation that is spanning its member ports across both clustered members (this can be done, as described above, only on the Switch Stack instead because that Stack forms a single logical entity, Firewalls' Cluster doesn't form a single logical entity)...this means that, due to necessity of link aggregations to terminate and originate from "a" same logical entity the scenario you could setup is going to be a "Node 1 to Stack" and "Node 2 to Stack" affair instead of a "Node 1 - across - Node 2 to Stack" affair.
If you have single links from each Firewall nodes then you have this issue since that very one link from a Firewall node will be connected (without LACP being used) to any member of the Switches' stack.