02-19-2019 10:46 AM
Got 2 8320’s Aruba switches as our core switches in VSX (great feature and working well). Setup a few layer 2 MC-LAGs which work well ... but now I want to add a layer 3 connection on each switch to a firewall ... I appreciate there’s no support for layer 3 MC-LAG.
Any ideas how best to do this, currently these connections are independent of each other and peer over a OSPF link.
Maybe a better way to do this to aggregate the combined bandwidth from both switches to the firewall?
Solved! Go to Solution.
02-25-2019 08:03 AM
Not knowing the exact topology, I assume you have an active FW and a standby FW, both running OSPF.
You have 2 options:
a) create a VSX LAG (MCLAG) for upstream to the FW. Create a transit VLAN for L3 routing between active FW, and both VSX nodes. Run OSPF (broadcast type) on this transit VLAN. You'll have best convergence and resiliency. Do the same for standby FW using a second transit VLAN. Set OSPF cost on secondary transit VLAN to be higher than first transit VLAN (so that North/South and South/North traffic goes to active FW). This is 2 triangles topology.
b) use Routed-Only Port on each VSX nodes. This will drive you to a square topology. You may have 50% of the South-North traffic going through ISL (this is not a problem but just size it accordingly).
If you loose link between act-FW and VSX node, you'll hit OSPF convergence time (higher time than in option a).
Hope this helps.