Wireless Access

Reply
Highlighted
Occasional Contributor I

Two Firewalls going to core switch

Hi.

Is it possible to have two different firewalls going to a LACP trunk port?

 

Highlighted

Re: Two Firewalls going to core switch

What you are looking for is called multi chassis etherchannel. While it is commonly supported on switches (VFS for Aruba switches, VSS for Cisco Catalyst and VPC in Nexus), I don't think any firewall does support that.

 

Short answer, it will depend on the firewall capability if it supports that.

JayBee
ACDX | ACCX| CCIE (RnS/SP,DC) | ACCP | ACMP | ACSA | ACMA | CWNA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.
Highlighted
MVP Guru

Re: Two Firewalls going to core switch

Hi, your question is not clear...if your planned design is: two Firewalls, one link on each Firewall, one Port Trunk (with LACP) switch side, links coming from Firewalls land to the same Port Trunk...the answer is NO. No matter the Switch side is deployed as VSX, VSF, Standalone or DT.

The point is Port Trunks are co-terminus (VSX helps here because, from the peer standpoint, supports and provides Multi-Chassis Links) and thus the uplinks egressing the Switch on the Port Trunk logical interface must terminate on a single physical switch or against a virtual switch.

Maybe you are dealing with a "Virtual Firewall" made of two clustered physical members? if so...maybe.
Highlighted

Re: Two Firewalls going to core switch

hi,

 

If your two firewall are in cluster or HA or primary and secondary then you can do LACP from VSF switch to two firewall in that one link to primary node/firewall and one will be secondary firewall you can terminate.

 

and its something like Aruba distributed Trunk or MC-LAG(other vendor) 

 

Best Regards,

Suresh

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: