Wired Intelligent Edge

I'm trying to wrap my head around the best or correct way to configure the upstream connectivity between my Aruba 8325 VSX core pair and my single Sonicwall NSa 6700 firewall.  I have mc-lags to my downstream access stacks working, but am not sure what my choices are for the upstream connection to my firewall.  This is just a two-tier network with no aggregation layer.  Right now I have two 40G DAC cables going from my LAN X32 and X33 interfaces (aggregated) on my SonicWall to each of my two core switches (interface 1/1/52 on each).  Right now, the L2 discovery on my SonicWall shows each of the 8325 switches they are connected to and the 1/1/52 interface are both up on the 8325s, but it is showing an LACP block on each of the 8325 switches for the vlan lag 254 interfaces.  Currently my LAN IP on the Sonicwall is 10.1.254.254.

Following is the configuration I have on each of the two core switches:

interface lag 254 multi-chassis
    description VSX LAG 254 (Sonicwall LAN)
    no shutdown
    no routing
    vlan access 254
    lacp mode active
    loop-protect
    loop-protect vlan 254

interface 1/1/52
    description Lag Port (Sonicwall LAN)
    no shutdown
    mtu 9198
    lag 254

interface vlan 254
    vsx-sync active-gateways
    ip mtu 9198
    ip address 10.1.254.2/24 (10.1.254.3/24 for secondary)
    active-gateway ip mac 12:01:00:00:01:00
    active-gateway ip 10.1.254.1

I'm trying to wrap my head around the best or correct way to configure the upstream connectivity between my Aruba 8325 VSX core pair and my single Sonicwall NSa 6700 firewall.  I have mc-lags to my downstream access stacks working, but am not sure what my choices are for the upstream connection to my firewall.  This is just a two-tier network with no aggregation layer.  Right now I have two 40G DAC cables going from my LAN X32 and X33 interfaces (aggregated) on my SonicWall to each of my two core switches (interface 1/1/52 on each).  Right now, the L2 discovery on my SonicWall shows each of the 8325 switches they are connected to and the 1/1/52 interface are both up on the 8325s, but it is showing an LACP block on each of the 8325 switches for the vlan lag 254 interfaces.  Currently my LAN IP on the Sonicwall is 10.1.254.254.

Following is the configuration I have on each of the two core switches:

interface lag 254 multi-chassis
    description VSX LAG 254 (Sonicwall LAN)
    no shutdown
    no routing
    vlan access 254
    lacp mode active
    loop-protect
    loop-protect vlan 254

interface 1/1/52
    description Lag Port (Sonicwall LAN)
    no shutdown
    mtu 9198
    lag 254

interface vlan 254
    vsx-sync active-gateways
    ip mtu 9198
    ip address 10.1.254.2/24 (10.1.254.3/24 for secondary)
    active-gateway ip mac 12:01:00:00:01:00
    active-gateway ip 10.1.254.1

On your VSX what's the (sanitized) output of these two commands (related to lag254 and its member interfaces on Primary and Secondary VSX)?

show lacp interfaces multi-chassis

show lacp interfaces multi-chassis 1/1/52

Then would be interesting to understand what's the main reason for having such VSX LAG interface operating in "access mode" (with a Native VLAN id = Port VLAN ID = VLAN id 254, implying that that interface is an "untagged member" of the VLAN id 254) instead of - maybe - being an interface operating in "trunk mode" which is something typically used when interconnecting to peering switches/appliances (but here I mean "trunk mode" with just the VLAN id 254 AND with that VLAN id tagged <- clearly that approach would make sense IF-AND-ONLY-IF the peering logical interface - the aggregation of X32 and X33 - configured on the Sonicwall NSa 6700 Firewall side is also only tagged with the VLAN id 254).

Something like:

interface lag 254 multi-chassis
    description "to Sonicwall NSa 6700 Firewall"
    no shutdown
    no routing
    vlan trunk native 254 tag
    vlan trunk allowed 254
    lacp mode active
exit

Original Message:
Sent: Jun 05, 2023 04:54 PM
From: wdubose
Subject: Connecting a single Sonicwall NSa 6700 to a VSX 8325 core

I'm trying to wrap my head around the best or correct way to configure the upstream connectivity between my Aruba 8325 VSX core pair and my single Sonicwall NSa 6700 firewall.  I have mc-lags to my downstream access stacks working, but am not sure what my choices are for the upstream connection to my firewall.  This is just a two-tier network with no aggregation layer.  Right now I have two 40G DAC cables going from my LAN X32 and X33 interfaces (aggregated) on my SonicWall to each of my two core switches (interface 1/1/52 on each).  Right now, the L2 discovery on my SonicWall shows each of the 8325 switches they are connected to and the 1/1/52 interface are both up on the 8325s, but it is showing an LACP block on each of the 8325 switches for the vlan lag 254 interfaces.  Currently my LAN IP on the Sonicwall is 10.1.254.254.

Following is the configuration I have on each of the two core switches:

interface lag 254 multi-chassis
    description VSX LAG 254 (Sonicwall LAN)
    no shutdown
    no routing
    vlan access 254
    lacp mode active
    loop-protect
    loop-protect vlan 254

interface 1/1/52
    description Lag Port (Sonicwall LAN)
    no shutdown
    mtu 9198
    lag 254

interface vlan 254
    vsx-sync active-gateways
    ip mtu 9198
    ip address 10.1.254.2/24 (10.1.254.3/24 for secondary)
    active-gateway ip mac 12:01:00:00:01:00
    active-gateway ip 10.1.254.1

I ran the following two commands with interface lag 254 configured for both access (vlan access 254) and the way you suggested (vlan trunk native 254 tag, vlan trunk allowed 254).  The command output was identical for each.

8325-CORE-1(config-lag-if)# show lacp interfaces multi-chassis

State abbreviations :

A - Active        P - Passive      F - Aggregable I - Individual

S - Short-timeout L - Long-timeout N - InSync     O - OutofSync

C - Collecting    D - Distributing

X - State m/c expired              E - Default neighbor state

Actor details of all interfaces:

----------------------------------------------------------------------------------

Intf       Aggregate  Port    Port     State   System-ID         System   Aggr

           name       id      Priority                           Priority Key

----------------------------------------------------------------------------------

1/1/52     lag254(mc) 52      1        ALFOE   02:02:00:00:01:00 65534    254

Partner details of all interfaces:

----------------------------------------------------------------------------------

Intf       Aggregate  Partner Port     State   System-ID         System   Aggr

           name       Port-id Priority                           Priority Key

----------------------------------------------------------------------------------

1/1/52     lag254(mc) 0       0        PLFOEX  00:00:00:00:00:00 0        0

Remote Actor details of all interfaces:

----------------------------------------------------------------------------------

Intf       Aggregate  Port    Port     State   System-ID         System   Aggr

           name       id      Priority                           Priority Key

----------------------------------------------------------------------------------

1/1/52     lag254(mc) 1052    1        IE      02:02:00:00:01:00 65534    254

Remote Partner details of all interfaces:

----------------------------------------------------------------------------------

Intf       Aggregate  Partner Port     State   System-ID         System   Aggr          

           name       Port-id Priority                           Priority Key

----------------------------------------------------------------------------------

1/1/52     lag254(mc) 0       0        IE      00:00:00:00:00:00 0        0

8325-CORE-1(config-lag-if)# show lacp interfaces multi-chassis 1/1/52

State abbreviations :

A - Active        P - Passive      F - Aggregable I - Individual

S - Short-timeout L - Long-timeout N - InSync     O - OutofSync

C - Collecting    D - Distributing

X - State m/c expired              E - Default neighbor state

Aggregate-name : lag254(multi-chassis)

-------------------------------------------------

                       Actor             Partner

-------------------------------------------------

Port-id            | 52                 | 0

Port-priority      | 1                  | 0

Key                | 254                | 0

State              | ALFOE              | PLFOEX

System-ID          | 02:02:00:00:01:00  | 00:00:00:00:00:00

System-priority    | 65534              | 0

Original Message:
Sent: Jun 07, 2023 07:15 AM
From: parnassus
Subject: Connecting a single Sonicwall NSa 6700 to a VSX 8325 core

On your VSX what's the (sanitized) output of these two commands (related to lag254 and its member interfaces on Primary and Secondary VSX)?

show lacp interfaces multi-chassis

show lacp interfaces multi-chassis 1/1/52

Then would be interesting to understand what's the main reason for having such VSX LAG interface operating in "access mode" (with a Native VLAN id = Port VLAN ID = VLAN id 254, implying that that interface is an "untagged member" of the VLAN id 254) instead of - maybe - being an interface operating in "trunk mode" which is something typically used when interconnecting to peering switches/appliances (but here I mean "trunk mode" with just the VLAN id 254 AND with that VLAN id tagged <- clearly that approach would make sense IF-AND-ONLY-IF the peering logical interface - the aggregation of X32 and X33 - configured on the Sonicwall NSa 6700 Firewall side is also only tagged with the VLAN id 254).

Something like:

interface lag 254 multi-chassis
    description "to Sonicwall NSa 6700 Firewall"
    no shutdown
    no routing
    vlan trunk native 254 tag
    vlan trunk allowed 254
    lacp mode active
exit

Original Message:
Sent: Jun 05, 2023 04:54 PM
From: wdubose
Subject: Connecting a single Sonicwall NSa 6700 to a VSX 8325 core

I'm trying to wrap my head around the best or correct way to configure the upstream connectivity between my Aruba 8325 VSX core pair and my single Sonicwall NSa 6700 firewall.  I have mc-lags to my downstream access stacks working, but am not sure what my choices are for the upstream connection to my firewall.  This is just a two-tier network with no aggregation layer.  Right now I have two 40G DAC cables going from my LAN X32 and X33 interfaces (aggregated) on my SonicWall to each of my two core switches (interface 1/1/52 on each).  Right now, the L2 discovery on my SonicWall shows each of the 8325 switches they are connected to and the 1/1/52 interface are both up on the 8325s, but it is showing an LACP block on each of the 8325 switches for the vlan lag 254 interfaces.  Currently my LAN IP on the Sonicwall is 10.1.254.254.

Following is the configuration I have on each of the two core switches:

interface lag 254 multi-chassis
    description VSX LAG 254 (Sonicwall LAN)
    no shutdown
    no routing
    vlan access 254
    lacp mode active
    loop-protect
    loop-protect vlan 254

interface 1/1/52
    description Lag Port (Sonicwall LAN)
    no shutdown
    mtu 9198
    lag 254

interface vlan 254
    vsx-sync active-gateways
    ip mtu 9198
    ip address 10.1.254.2/24 (10.1.254.3/24 for secondary)
    active-gateway ip mac 12:01:00:00:01:00
    active-gateway ip 10.1.254.1