Wired Intelligent Edge

Hi guys,

I want to configure an aruba VSX Stack as cores-switches. The access-switches should be connected via MLAG to the VSX Stack and therefore I want to use the active gateway configuration for routing.

Now I want to connect the VSX Stack to our Firewall-HA.

What is the best way to do this, MLAG to both Firewalls?



------------------------------
Chris
------------------------------

Hi Chris,

"What is the best way to do this, MLAG to both Firewalls?"

before answering that question let me instead to highlight an aspect of your scenario: can your Cluster of Firewalls be seen as a single (unique) logical entity from the VSX point of view? I mean...generally an Firewall HA solution (Active/Active or Active/Passive, it doesn't matter) is made of two standalone units interconnected with an heartbeat link...and this pair of Firewall units generally can't be seen as a single logical entity (think about: can you freely terminate/distribute link aggregation's members originating on the VSX or on a singel standalone Switch to both the HA Cluster's members concurrently?).

------------------------------
Davide Poletto
------------------------------

Original Message:
Sent: Feb 25, 2021 09:17 AM
From: Chris vBargen
Subject: VSX Stack to firewall

Hi guys,

I want to configure an aruba VSX Stack as cores-switches. The access-switches should be connected via MLAG to the VSX Stack and therefore I want to use the active gateway configuration for routing.

Now I want to connect the VSX Stack to our Firewall-HA.

What is the best way to do this, MLAG to both Firewalls?

------------------------------
Chris
------------------------------

Hi Davide,

thanks for your quick response.
Our firewalls are working in an active-passive scenario and they are interconnected over a heartbeat-link.
Each firewall is a standalone unit.

So in this scenario, I could configure MLAG on the VSX-Stack to both firewalls?

Regards

------------------------------
Chris vBargen
------------------------------

Original Message:
Sent: Feb 25, 2021 10:28 AM
From: Davide Poletto
Subject: VSX Stack to firewall

Hi Chris,

"What is the best way to do this, MLAG to both Firewalls?"

before answering that question let me instead to highlight an aspect of your scenario: can your Cluster of Firewalls be seen as a single (unique) logical entity from the VSX point of view? I mean...generally an Firewall HA solution (Active/Active or Active/Passive, it doesn't matter) is made of two standalone units interconnected with an heartbeat link...and this pair of Firewall units generally can't be seen as a single logical entity (think about: can you freely terminate/distribute link aggregation's members originating on the VSX or on a singel standalone Switch to both the HA Cluster's members concurrently?).

------------------------------
Davide Poletto

Original Message:
Sent: Feb 25, 2021 09:17 AM
From: Chris vBargen
Subject: VSX Stack to firewall

Hi guys,

I want to configure an aruba VSX Stack as cores-switches. The access-switches should be connected via MLAG to the VSX Stack and therefore I want to use the active gateway configuration for routing.

Now I want to connect the VSX Stack to our Firewall-HA.

What is the best way to do this, MLAG to both Firewalls?

------------------------------
Chris
------------------------------

Hi Chris,

"So in this scenario, I could configure MLAG on the VSX-Stack to both firewalls?"

No.

You can configure a LAG on Firewall 1: links of this Firewall LAG would terminate on both VSX Members (distributed on VSX node 1 and on VSX node 2), this approach would imply that on the VSX side you need to setup a VSX LAG - call it lag1 (what you call an MCLAG or Multi-Chassis LAG) - and links of this VSX LAG (links originating on VSX 1 and VSX 2)  will end on (and only on) Firewall 1 unit.

You can configure another LAG on Firewall2: links of this Firewall LAG would terminate on both the VSX Members (distributed on VSX node 1 and on VSX node 2), this approach would imply that on the VSX side you need to setup a VSX LAG - call it lag2 (what you call an MCLAG or Multi-Chassis LAG) - and links of this VSX LAG (links originating on VSX 1 and VSX 2) will end on (and only on) Firewall 2 unit.

The point is that VSX acts as a single logical unit from peers perspective BUT your Firewall Cluster doesn't so you need to consider each of your Firewalls as a (sort of) separate switch against which the VSX could separately terminate its VSX LAGs' links (VSX lag1 links originating on VSX node 1 and on VSX node 2 go to Firewall 1 lag "n", VSX lag2 links originating on VSX node 1 and on VSX node 2 go to Firewall 2 lag "m").

The viceversa thus is not valid: you can't have a VSX LAG originating from the VSX members and going to with some links on Firewall 1 and with some others on Firewall 2 exactly as you can't probably setup on your Firewalls a LAG stretched across both Firewalls (a sort of Multi-Chassis de-facto...but for Firewalls) that terminates its links against the VSX Cluster (or against any other standalone Switch, as example).


------------------------------
Davide Poletto
------------------------------

Original Message:
Sent: Feb 25, 2021 10:48 AM
From: Chris vBargen
Subject: VSX Stack to firewall

Hi Davide,

thanks for your quick response.
Our firewalls are working in an active-passive scenario and they are interconnected over a heartbeat-link.
Each firewall is a standalone unit.

So in this scenario, I could configure MLAG on the VSX-Stack to both firewalls?

Regards

------------------------------
Chris vBargen

Original Message:
Sent: Feb 25, 2021 10:28 AM
From: Davide Poletto
Subject: VSX Stack to firewall

Hi Chris,

"What is the best way to do this, MLAG to both Firewalls?"

before answering that question let me instead to highlight an aspect of your scenario: can your Cluster of Firewalls be seen as a single (unique) logical entity from the VSX point of view? I mean...generally an Firewall HA solution (Active/Active or Active/Passive, it doesn't matter) is made of two standalone units interconnected with an heartbeat link...and this pair of Firewall units generally can't be seen as a single logical entity (think about: can you freely terminate/distribute link aggregation's members originating on the VSX or on a singel standalone Switch to both the HA Cluster's members concurrently?).

------------------------------
Davide Poletto

Original Message:
Sent: Feb 25, 2021 09:17 AM
From: Chris vBargen
Subject: VSX Stack to firewall

Hi guys,

I want to configure an aruba VSX Stack as cores-switches. The access-switches should be connected via MLAG to the VSX Stack and therefore I want to use the active gateway configuration for routing.

Now I want to connect the VSX Stack to our Firewall-HA.

What is the best way to do this, MLAG to both Firewalls?

------------------------------
Chris
------------------------------

It may help:
https://support.hpe.com/hpsc/doc/public/display?docId=a00094242en_us
p104 Fig.2

------------------------------
Vincent Giles
------------------------------

Original Message:
Sent: Feb 25, 2021 10:48 AM
From: Chris vBargen
Subject: VSX Stack to firewall

Hi Davide,

thanks for your quick response.
Our firewalls are working in an active-passive scenario and they are interconnected over a heartbeat-link.
Each firewall is a standalone unit.

So in this scenario, I could configure MLAG on the VSX-Stack to both firewalls?

Regards

------------------------------
Chris vBargen

Original Message:
Sent: Feb 25, 2021 10:28 AM
From: Davide Poletto
Subject: VSX Stack to firewall

Hi Chris,

"What is the best way to do this, MLAG to both Firewalls?"

before answering that question let me instead to highlight an aspect of your scenario: can your Cluster of Firewalls be seen as a single (unique) logical entity from the VSX point of view? I mean...generally an Firewall HA solution (Active/Active or Active/Passive, it doesn't matter) is made of two standalone units interconnected with an heartbeat link...and this pair of Firewall units generally can't be seen as a single logical entity (think about: can you freely terminate/distribute link aggregation's members originating on the VSX or on a singel standalone Switch to both the HA Cluster's members concurrently?).

------------------------------
Davide Poletto

Original Message:
Sent: Feb 25, 2021 09:17 AM
From: Chris vBargen
Subject: VSX Stack to firewall

Hi guys,

I want to configure an aruba VSX Stack as cores-switches. The access-switches should be connected via MLAG to the VSX Stack and therefore I want to use the active gateway configuration for routing.

Now I want to connect the VSX Stack to our Firewall-HA.

What is the best way to do this, MLAG to both Firewalls?

------------------------------
Chris
------------------------------