Wired Intelligent Edge

Hi,

I have a pair of 8320 CX switches, want to connect to a single firewall over a layer 3 OSPF connection.

Am I right in thinking MC LAG over both switches to the firewall is best way? Just confused what I would set me firewall ports to? 2 individual layer 3 interfaces?

Thanks

Ps. I tried 2 independent layer 3 links in OSPF on firewall and both switches and it caused asynchronous routing ...

MC-LAG on the 8320 and enable active-forwarding under the VLAN interface. you have to configure lacp on the sonicwall side, not individual interfaces.

I understand how to set a MC LAG, but would this not have the active gateway? What is the command for active forwarding?

Also can I distribute this into OSPF both sides?

I will create a layer 3 ether channel on firewall side to peer with

Thanks

Just seen the ‘vsx active-gateway’ command ... just wanted to clarify the overall design:

Single firewall- etherchannel layer 3 with single IP

2 x 8320’s - use MC LAG (no active gateway) and set the active forwarding. Distribute into OSPF ...

What IP schema to use? /29 to include all 3 devices into the same subnet?

Solved

Did a layer 3 etherchannel on the firewall with single IP address

Transit vlan on both 8320s ... multi chassis LAG on both switches with access only on the transit vlan.

All devices in the same /29 subnet

Thanks for your help

Hi,

 

Do you have look the VSX Best Pratice guide ? https://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus/VSX-Configuration-Best-Practices-AOS-CX-10-4/td-p/628402

No I didn’t - but thanks for sending through. Looks like a good read.

Hi Redford1980,

 

Your idea works. I adopted it and I can see that there is OSPF routing between my single firewall (Palo Alto) and the two 8320 VSX nodes I am using. However, I have a question. The firewall sees 2 OSPF neighbors, which are the VSX-peers. How do you tell the firewall to route packets to the primary VSX-peer and not the Secondary VSX-peer? Did you do anything special? According to the VSX guide, I made the firewall the DR but for some reason, the firewall is seeing the secondary VSX-peer as its next hop instead of the primary VSX-peer. At some point, I removed the two VSX-peers from participating from DR/BDR election with the firewall but no changes. The only option that looks promising is to give the primary VSX-peer a higher router-ID. 

 

I would appreciate any advice. Thanks.

It is recommended to have FW peering with both VSX peers. PA FW will use ECMP to route trafffic to the primary VSX or to the secondary VSX according to the FW internal load-balancing rules used for ECMP.

So there is no need and not recommended to have single peering.

 

In addtion, please use active-fowarding on the transit VLAN, to help for high-availability and ISL off-load (as explained in VSX best practice).

 

Hi Vincent, 

 

Thanks for this information.