https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/voss-clustered-core-vist-mlt-to-firewall-ha-lacp/m-p/93660#M1963 <P>How are the Firewalls configured? Are they in L2 mode bridging traffic between VLANs? If so, then the switches likely will get their own MACs back on the MLT/SMLT ports on a different VLAN than they have sent traffic out. If this is the setup, then you will need to issue this command:&nbsp;</P><P>"no sys control virtual-ist mac-move-protection"</P><P>This will ensure that the switch MACs are not moved to the vIST automatically as a switch in normal cases does not want to see its own, or its peer MACs on SMLT ports.</P><P>If the FWs are in pure routing mode, then this command is not required.</P><P>Roger</P> Mon, 07 Nov 2022 08:55:10 GMT Roger_Lapuh 2022-11-07T08:55:10Z https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/voss-clustered-core-vist-mlt-to-firewall-ha-lacp/m-p/93657#M1961 <P>Hi All,<BR /><BR />We are planning to add a redundant CORE and FW to the current setup of our client using VIST for the CORE to be clustered and then for the CORE to FW connection we're going to use MLT and LACP for added&nbsp;resilience if ever one port goes down and also before it switches back to CORE2.<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WhatsApp Image 2022-11-06 at 18.09.30.jpg" style="width: 999px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6213i0E765672567A7406/image-size/large?v=v2&amp;px=999" role="button" title="WhatsApp Image 2022-11-06 at 18.09.30.jpg" alt="WhatsApp Image 2022-11-06 at 18.09.30.jpg" /></span><BR />May I know if this is feasible (loop-free)? And if there any best practices regarding VOSS implementation for this?<BR /><BR />Hoping to hear any suggestions on this. Thank you in advance.</P> Sun, 06 Nov 2022 10:26:09 GMT https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/voss-clustered-core-vist-mlt-to-firewall-ha-lacp/m-p/93657#M1961 gklyde17 2022-11-06T10:26:09Z https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/voss-clustered-core-vist-mlt-to-firewall-ha-lacp/m-p/93660#M1963 <P>How are the Firewalls configured? Are they in L2 mode bridging traffic between VLANs? If so, then the switches likely will get their own MACs back on the MLT/SMLT ports on a different VLAN than they have sent traffic out. If this is the setup, then you will need to issue this command:&nbsp;</P><P>"no sys control virtual-ist mac-move-protection"</P><P>This will ensure that the switch MACs are not moved to the vIST automatically as a switch in normal cases does not want to see its own, or its peer MACs on SMLT ports.</P><P>If the FWs are in pure routing mode, then this command is not required.</P><P>Roger</P> Mon, 07 Nov 2022 08:55:10 GMT https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/voss-clustered-core-vist-mlt-to-firewall-ha-lacp/m-p/93660#M1963 Roger_Lapuh 2022-11-07T08:55:10Z https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/voss-clustered-core-vist-mlt-to-firewall-ha-lacp/m-p/93665#M1964 <P>Hello gklyde17,</P><P>I would prefer to do it as in drawing below<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Clustered Core VIST MLT to Firewall (HA) LACP.png" style="width: 999px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6215i52866A9316DD80A9/image-size/large?v=v2&amp;px=999" role="button" title="Clustered Core VIST MLT to Firewall (HA) LACP.png" alt="Clustered Core VIST MLT to Firewall (HA) LACP.png" /></span></P><P>When VSP's are in SMLT/vIST cluster configuration you can connect other devices, eg. a FireWall, servers, switches, ... with a LAG (active or static (LACP active&nbsp; or LACP static or MLT, Etherchanel, ...)) to both VSP switches.<BR />When one of the VSP's fails, both FW's still have one active link.</P><P>On the VSP switches you would have a configuration like this.<BR />Only configuration for VSP port 22 / SMLT-22 is shown.<BR />The same configuration must be applied to both SMLT cluster members for both ports/SMLT's.</P><P><STRONG>On both VSP SMLT cluster switches :</STRONG></P><P class="lia-indent-padding-left-30px"><FONT face="courier new,courier">mlt 22 enable name "SMLTxyz"<BR /></FONT><FONT face="courier new,courier">interface mlt 22<BR /></FONT><FONT face="courier new,courier">smlt<BR /></FONT><FONT face="courier new,courier">lacp enable key <FONT color="#808000"><STRONG>22</STRONG></FONT><BR /></FONT><FONT face="courier new,courier">exit</FONT></P><P class="lia-indent-padding-left-30px"><FONT face="courier new,courier">interface GigabitEthernet 22<BR /></FONT><FONT face="courier new,courier">encapsulation dot1q</FONT><BR /><FONT face="courier new,courier">exit</FONT></P><P class="lia-indent-padding-left-30px"><FONT face="courier new,courier">interface GigabitEthernet 22</FONT><BR /><FONT face="courier new,courier">name "SMLT-PORTxyz"<BR /></FONT><FONT face="courier new,courier">no shutdown</FONT><BR /><FONT face="courier new,courier">lacp key <FONT color="#808000"><STRONG>22 </STRONG></FONT>aggregation enable<BR /></FONT><FONT face="courier new,courier">lacp enable<BR /></FONT><FONT face="courier new,courier">no spanning-tree mstp force-port-state enable</FONT><BR /><FONT face="courier new,courier">exit</FONT></P><P>Hope it helps<BR />WillyHe</P> Mon, 07 Nov 2022 09:58:10 GMT https://community.extremenetworks.com/t5/extremeswitching-vsp-fabric/voss-clustered-core-vist-mlt-to-firewall-ha-lacp/m-p/93665#M1964 WillyHe 2022-11-07T09:58:10Z