This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

EXOS switches to firewalls design

EXOS switches to firewalls design

gaurav-pandya
New Contributor II

2 weeks ago

Hi,

We are planning to put 2 EXOS as WAN switches in front of firewalls. We have 2 firewalls in HA mode. WAN design will look like attached diagram. I have couple of queries.

1. MLAG configuration is must for this design?

2. If MLAG is configured, ISC link will pass BPDUs and STP will work as expected?

 

Thanks in advance.

 

0 Kudos
3 REPLIES 3

Brent_Addis
Contributor

2 weeks ago

MLAG is fine. As someone who's been implementing Spanning Tree for 25 years, Don't running spanning tree.

IMHO spanning tree is a legacy loop-edge detection mechanism. Use ELRP instead.

If you have a layer 2 design between your upstream links, use EAPS. Way faster than spanning tree.

If you're worried about port down issues, setup redundant port, or CFM.

If you're worries about routing? Setup BGP.

 

-----
-Brent Addis / Extreme Black Belt #491

New to Extreme? Check out the Welcome series here - https://training.extremenetworks.com/welcome-series-1
Want to join the official Extreme learners discord? Let me know!
0 Kudos

Keith9
Contributor III

2 weeks ago - last edited 2 weeks ago

This works for us.  We have two locations where both have two x690 switches and they are cross connected to Palo Alto Firewalls in Active/Standby HA.  The ae1.x interface on the firewalls contain all the vlans we need (router on a stick basically).  Plenty of bandwidth because all 4 ports are 10gbe SFP+ LC fiber connections.

Example SW-1
1:39 To Palo Alto FW Primary ethernet1/19
1:40 To Palo Alto FW Secondary ethernet1/19

snippit of sh mlag ports
139 1:39 A Up SW-2 Up 0 0
140 1:40 A Up SW-2 Up 0 0

snippit of sh sharing
1:39 1:39 LACP 1 L3_L4 A 1:39 Y A 5
1:40 1:40 LACP 1 L3_L4 A 1:40 Y A 5

snippit of relevant config:
enable mlag port 1:39 peer "SW-2" id 139
enable mlag port 1:40 peer "SW-2" id 140

enable sharing 1:39 grouping 1:39 algorithm address-based L3_L4 lacp
enable sharing 1:40 grouping 1:40 algorithm address-based L3_L4 lacp

Then the ports have the appropriate tagged vlans on them. 
We tested firewall failover (and updates) as well as switch updates (rebooting one at a time).  Seems to be working.

The firewall configuration will vary, but in Palo Alto, we have an aggregate group ae1 and under it is various sub interfaces tied to the appropriate vlan tag and security zone.  LLDP is enabled, and on the palo side under LACP its enabled in passive mode, fast transmission rate, the fast failover is checked and Enable in HA Passive state is checked.

As far as spanning tree goes, we do NOT have enable stpd s0 autobind vlan <vlan name> on vlan MLAG-ISC (4094) 

 

0 Kudos

gaurav-pandya
New Contributor II
In response to Keith9

2 weeks ago

Thanks Keith for sharing information.

Our agenda is to enable STP as well. We have 2 link from same ISP and it will be connected to 2 switches (In MLAG). So one link should be blocked. My question is ISC link will pass BPDU?

0 Kudos
GTM-P2G8KFN