Are you sure about the LACP LAG on the Sonicwall NSa 6700 side?
To me it seems far from being good enough since ALFOE and PLFOEX states say so (no matter the "operating mode" - access versus trunk - you would then use on both sides for both logical interfaces).
A diagnostic on Sonicwall side about its LAG (LACP) would be of help, at this point.
Edit: Aruba VSX side, what's the output of:
switch config-validator mode vsx-sync
Original Message:
Sent: 6/7/2023 2:19:00 PM
From: wdubose
Subject: RE: Connecting a single Sonicwall NSa 6700 to a VSX 8325 core
I ran the following two commands with interface lag 254 configured for both access (vlan access 254) and the way you suggested (vlan trunk native 254 tag, vlan trunk allowed 254). The command output was identical for each.
8325-CORE-1(config-lag-if)# show lacp interfaces multi-chassis
State abbreviations :
A - Active P - Passive F - Aggregable I - Individual
S - Short-timeout L - Long-timeout N - InSync O - OutofSync
C - Collecting D - Distributing
X - State m/c expired E - Default neighbor state
Actor details of all interfaces:
----------------------------------------------------------------------------------
Intf Aggregate Port Port State System-ID System Aggr
name id Priority Priority Key
----------------------------------------------------------------------------------
1/1/52 lag254(mc) 52 1 ALFOE 02:02:00:00:01:00 65534 254
Partner details of all interfaces:
----------------------------------------------------------------------------------
Intf Aggregate Partner Port State System-ID System Aggr
name Port-id Priority Priority Key
----------------------------------------------------------------------------------
1/1/52 lag254(mc) 0 0 PLFOEX 00:00:00:00:00:00 0 0
Remote Actor details of all interfaces:
----------------------------------------------------------------------------------
Intf Aggregate Port Port State System-ID System Aggr
name id Priority Priority Key
----------------------------------------------------------------------------------
1/1/52 lag254(mc) 1052 1 IE 02:02:00:00:01:00 65534 254
Remote Partner details of all interfaces:
----------------------------------------------------------------------------------
Intf Aggregate Partner Port State System-ID System Aggr
name Port-id Priority Priority Key
----------------------------------------------------------------------------------
1/1/52 lag254(mc) 0 0 IE 00:00:00:00:00:00 0 0
8325-CORE-1(config-lag-if)# show lacp interfaces multi-chassis 1/1/52
State abbreviations :
A - Active P - Passive F - Aggregable I - Individual
S - Short-timeout L - Long-timeout N - InSync O - OutofSync
C - Collecting D - Distributing
X - State m/c expired E - Default neighbor state
Aggregate-name : lag254(multi-chassis)
-------------------------------------------------
Actor Partner
-------------------------------------------------
Port-id | 52 | 0
Port-priority | 1 | 0
Key | 254 | 0
State | ALFOE | PLFOEX
System-ID | 02:02:00:00:01:00 | 00:00:00:00:00:00
System-priority | 65534 | 0
Original Message:
Sent: Jun 07, 2023 07:15 AM
From: parnassus
Subject: Connecting a single Sonicwall NSa 6700 to a VSX 8325 core
On your VSX what's the (sanitized) output of these two commands (related to lag254 and its member interfaces on Primary and Secondary VSX)?
show lacp interfaces multi-chassis
show lacp interfaces multi-chassis 1/1/52
Then would be interesting to understand what's the main reason for having such VSX LAG interface operating in "access mode" (with a Native VLAN id = Port VLAN ID = VLAN id 254, implying that that interface is an "untagged member" of the VLAN id 254) instead of - maybe - being an interface operating in "trunk mode" which is something typically used when interconnecting to peering switches/appliances (but here I mean "trunk mode" with just the VLAN id 254 AND with that VLAN id tagged <- clearly that approach would make sense IF-AND-ONLY-IF the peering logical interface - the aggregation of X32 and X33 - configured on the Sonicwall NSa 6700 Firewall side is also only tagged with the VLAN id 254).
Something like:
interface lag 254 multi-chassis
description "to Sonicwall NSa 6700 Firewall"
no shutdown
no routing
vlan trunk native 254 tag
vlan trunk allowed 254
lacp mode active
exit
Original Message:
Sent: Jun 05, 2023 04:54 PM
From: wdubose
Subject: Connecting a single Sonicwall NSa 6700 to a VSX 8325 core
I'm trying to wrap my head around the best or correct way to configure the upstream connectivity between my Aruba 8325 VSX core pair and my single Sonicwall NSa 6700 firewall. I have mc-lags to my downstream access stacks working, but am not sure what my choices are for the upstream connection to my firewall. This is just a two-tier network with no aggregation layer. Right now I have two 40G DAC cables going from my LAN X32 and X33 interfaces (aggregated) on my SonicWall to each of my two core switches (interface 1/1/52 on each). Right now, the L2 discovery on my SonicWall shows each of the 8325 switches they are connected to and the 1/1/52 interface are both up on the 8325s, but it is showing an LACP block on each of the 8325 switches for the vlan lag 254 interfaces. Currently my LAN IP on the Sonicwall is 10.1.254.254.
Following is the configuration I have on each of the two core switches:
interface lag 254 multi-chassis
description VSX LAG 254 (Sonicwall LAN)
no shutdown
no routing
vlan access 254
lacp mode active
loop-protect
loop-protect vlan 254
interface 1/1/52
description Lag Port (Sonicwall LAN)
no shutdown
mtu 9198
lag 254
interface vlan 254
vsx-sync active-gateways
ip mtu 9198
ip address 10.1.254.2/24 (10.1.254.3/24 for secondary)
active-gateway ip mac 12:01:00:00:01:00
active-gateway ip 10.1.254.1