I am looking for a cabling recommendation diagram for LACP portchannels from Cisco Switch Stacks or Nexus to HA Palo Alto Pair. Nexus can obviously use vPC feature so it may be slightly different than a switch stack.
Switch stack cabling currently:
Cisco SW#1 - Port gi1/0/1 ---> PA3050 (Active) Eth1/1
Cisco SW#2 - Port gi1/0/2 ---> PA3050 (Passive) Eth1/1
Cisco SW#1 - Port gi2/0/1 ---> PA3050 (Active) Eth1/2
Cisco SW#2 - Port gi2/0/2 ---> PA3050 (Passive) Eth1/2
This results in a LACP etherchannels on the Cisco side connecting to PA ae1 on both devices since they are mirrored.
**I am not sure if on the Cisco Switch side I can make all 4 links part of the same etherchannel? I know by default the ports on the Passive unit are shutdown, but I think you can set to be on so the failover is faster, so with them in an UP state on the passive will this cause issues with valid traffic going to the passive state unit? I would assume not, but not sure.
I would do the same for the Nexus as far as cabling, I would just use one vPC for all 4 links to the PA pair.
Is this an ok design or should I be running single etherchannels from each single switch to one PA in the pair.
2 link etherchannel off of SW#1 to ports 1/2 on Active PA
2 link etherchannel off of SW#2 to ports 1/2 on Passive PA
**I am not sure if on the Cisco Switch side I can make all 4 links part of the same etherchannel?
Do not use a 4-port etherchannel. You should create two 2-port etherchannels, with 2 ports going to fw1, and 2 ports going to fw2.
At this point, either cabling method works:
- 2-ports from sw1 going to fw1, and 2-ports from sw2 going to fw2, or...
- 1-port/ea from sw1+sw2 to fw1, and 1-port/ea from sw1+sw2 to fw2.
The main thing to consider here is "switch maintenance" and the potential impact it will have on the firewalls. If I'm not mistaken, a code upgrade or switch reload becomes a stack upgrade and stack reload with most stacking technologies. If both firewalls are connected to different switches in the same stack, then a switch maintenance event will be disruptive to firewall connectivity. Ideally you'd have one etherchannel to one stack, and the 2nd etherchannel to a different stack.
I believe vPC would be less disruptive since each vPC switch has its own control plane and can operate independent from its peer. In this scenario, switch maintenance could be disruptive to the firewalls - but it would depend on the vPC implementation and your cabling choice.
Only having a single 2 switch, switch stack, the upgrade of IOS will be disruptive regardless, so that will require a Maint window for sure. I didn't think a 4 port etherchannel was a good idea but seen it done at my last company and always questioned it. Nexus would be less disruptive with ISSU, but that being said if I have two links connected to the same FW from each switch, the firewall wouldnt failover when I reboot one of the nexus switches, it would just be 1g link opposed to 2g bonded for the time of the reboot.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!