Wired Intelligent Edge

Hi,

What is the best practise for when to use Active-Gateways and when to use Active-Forwarding as they are mutually exclusive.

For example: For a Data SVI, I would imagine using Active-Gateways would serve a better purpose due to it offering first hop redundancy. If true, you lose the active-forwarding feature, so I assume traffic will need to pass through the ISL. So when is it best to use Active-Gateways, and when is it best to use Active-Forwarding?

Many Thanks 

Active-gateway is the default gateway Virtual IP for client subnet

whereas active-forwarding is an optional setting for upstream L3 connectivity in case of VSX LAG and transit VLANs. Active-Forwarding is useless on dowstream VSX LAG to access-switches

and as well as not an option for upstream Routed port. Only for VSX LAG upstream with transit VLANs.

Here is a summary.

Hi Vincent, 

I understand why you wouldnt use Active-Forwarding. I think what BC123 is trying to ask is "In what scenario would you want to use Active-Forwarding". 

IF you had a pair of 8325 (VSX), connected to two Firewalls running active-active then Active-Forwarding would make sense (there would be ECMP routes).

In our scenario we have a pair of 8325's (VSX) connecting to two Firewalls northbound in Active-Passive mode so I assume there would be no need for Active-Forwarding on the transit vlan, is this correct?

Thanks, 

Cole

Hi Vincent, 

Just want to arrest your attention to the question raised by Cole, for learning purpose. I am not exactly in the same situation. Mine is two 8320 VSX nodes connected to one firewall. I understand the Active gateway concept; in my case, for my servers to only know about an active gateway IP address on the VSX as their default gateway. However, I am not sure of when it is necessary to apply active forwarding. 

I have read the technical whitepapers and/or documents but in all honesty, I still don't get it. 

The appendix E of the VSX tech.paper was added to cover FW use-case.

https://support.hpe.com/hpsc/doc/public/display?docId=a00094242en_us

If this is not enough, would this slide better explains:

In a nutshell, Active-gateway is set on L3 VLAN interface facing the server (provided the VSX pair does the routing).

For the FW attachement, due to active/standby model, it is likely you have to connect the VSX pair with a VSX LAG to FW active, and a seconda VSX LAG to the standby FW. Then you set a transit VLAN for routing on this VSX LAG. On this transit VLAN 2 options:

- active-forwarding if you use OSPF or BGP

- or simpler: active-gateway if you use static routing.

(it is not both, it is either).

Thanks, Vincent for this info. Initially, I didn't notice the FW case scenario in the document. This makes sense now.

Good. Happy that this is clear for you and thanks for your exchange.

This may give you an idea.

https://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus/Aruba-8320-and-ArubaOS-CX-Experience/td-p/442723/page/4

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.