Wired Intelligent Edge

 View Only

  • 1.  LAG Group Status Block

    Posted Jan 19, 2021 10:29 AM
    Hello,

    I have a problem, my LAG Group is showing status blocked.
    I'm using HPE Aruba 8320 OS-CX 10.06.0001
    I have two 8320 Switch configure VSX-Link
    I Configure LAG10 & LAG9 in both switches and using port 5&6, this LAG is configured LACP trunk all and connect to FW1 & FW2.
    Each FW  have 4 ports going to the switches:
    Switch1: LAG10 connect to FW1
    Switch2: LAG10 connect to FW2
    Switch1: LAG9 connect to FW2
    Switch2: LAG9 connect to FW1

    Should I use LAG or LAG MC?
    Thanks

    ------------------------------
    Kum Weng Chan
    ------------------------------


  • 2.  RE: LAG Group Status Block

    Posted Jan 19, 2021 11:30 AM
    Edited by parnassus Jan 19, 2021 12:25 PM
    Hi, could you show us a diagram of connections?

    Generally - dealing with a VSX - some VSX LAGs are defined (example) spanning both chassis:

    • On VSX Primary create a VSX LAG lag1 made of 1/1/5
    • On VSX Primary create a VSX LAG lag2 made of 1/1/6
    • On VSX Secondary create a VSX LAG lag1 made of 1/1/5
    • On VSX Secondary create a VSX LAG lag2 made of 1/1/6
    The above configuration is like having a Multi-Chassis LAG spanning between VSX nodes:

    • VSX LAG lag1 made of 1/1/5 on VSX Primary and 1/1/5 on VSX Secondary
    • VSX LAG lag2 made of 1/1/6 on VSX Primary and 1/1/6 on VSX Secondary
    The important thing to note is that each VSX LAG (as also happen normally on standard LAGs) should terminate on a single switching entity (like a single standalone Switch, a Virtual Switch - IRF, VSF, VSX, Cisco VSS, etc - or a single Host).

    In other terms, normally:

    • VSX LAG lag1 (1/1/5+1/1/5) would terminate into FW1 or FW2 (not into both concurrently)
    • VSX LAG lag2 (1/1/6+1/1/6) would terminate into FW2 or FW1 (not into both concurrently)

    The only exception is when the pair (FW1 and FW2) can be seen as (and act like) a single logical entity (and generally a Cluster of two Active/Active or Active/Passive Firewalls simply don't act as a "single logical entity").
     
    I doubt (but I could be wrong about that) your two Firewalls act like one logical switching entity (they should be separated and acting as they are two separate switches/routers)...this means that a VSX LAG can only terminate on ONE Firewall at time (say lag1 into FW1 or FW2 not on both)...it is not different of what happens when a LAG terminates on a standalone (or Virtual) Switch...it can't terminate on two separate switches if they act as standalone ones.

    ------------------------------
    Davide Poletto
    ------------------------------

    Original Message


Related Content