07-13-2012 01:16 PM
Since link aggregation (LACP or etherchannel) is only supported on PA4000++ I want to build a simple interface-failover / interface-group setup (like any other enterprise firewall allows even on low-end devices).
To do this I would do the following:
1. change interface mode to Layer2 on both interfaces making up the interface-group
2. create a layer2 subinterface each (with same id and vlan tag)
3. associate both to the same vlan
4. enable L3 forwarding on the vlan
5. create an vlan interface and assign it the IP the firewall (on its interface-group) should have
6. connect each port to a different switch
7. enable STP (on switch)
8. cross fingers
(with 2. only required when this is a trunk with multiple vlans)
It seems to work but is something like this supported?
07-23-2012 03:40 PM
Had a quick chance to try this out in the lab. Here's what I did:
1.) Created new VLAN
2.) Created new VLAN interface (with L3-forwarding enabled)
3.) Placed new VLAN interface into appropriate security zone (L3-Trust in my configuration)
4.) Assigned new VLAN interface an IP Address (192.168.1.1/24 in my config)
5.) Configured 2 firewall ports as "Layer 2" and placed them into the newly created VLAN from step #1
On the switch side, I created a vlan in a Brocade switch with 3 access ports. I also enabled spanning-tree in this VLAN. Of the 3 ports, 2 go to the firewall and one to a test laptop.
In this configuration, everything works fine! It takes 30-45 seconds to fail over, and about 15s to fail back - which is expected for standard spanning-tree behavior.
I don't see why this wouldn't work using sub-interfaces and vlan tags as well. Same concept. Don't see why it wouldn't be supported either. As long as you have some sort of loop prevention technology running, it's a perfectly valid network design. It's not optimal, and you could probably get better failover and worry less about spanning-tree if you had a pair of firewalls using Active/Passive High Availability.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!