03-24-2017 01:48 PM
Anybody think of a situation where I would prefer a layer 2 connection over a vwire in a basic setup? i.e. [users]--[core switch]--[PA]--[router]
Right now I have:
([switch] --VW--[PA]--VW--[router])x4
Moving (becuase of lack of PA support for LACP LAG's with VWire)
([switch] --L2--[PA]--L2--[router])x2
Only caveat is [switch] and [router] in one big HSRP cluster all interconnected with LAG's so not sure if the HSRP level stuff changes whether PA using L2 of VWIRE, i.e. setup is really [switch]x2 { HSRP } [router]x2
Not really looking for a conversation about HSRP, etc more just curious is there any situation where I would prefer a L2 relationship over a VWire?
03-27-2017 12:16 AM
Lack of support for LACP? I've just succesfuly configured VW between 2 AE groups (with 2 interfaces each).
Perosnally I've never used Layer 2 mode in PA.
03-27-2017 01:02 AM
as @santonic already mentioned, LACP is available for vwire aggregates as well 🙂
other than that, Layer2 has a few advantages over vwire depending on your needs: for ease of use, and if you don't need to manipulate any of your vlans, vwire is perfect for your setup.
A layer2 setup does allow you to bridge vlans and if needed 'untangle' the switch side vlans to an untagged or single vlan on the router side
03-27-2017 08:15 AM
I've used Layer2 mainly for "untangling" vlans or in situations where multiple agencies or buildings are using the same vlan number for different purposes. I'm also pretty likely to simply deploy layer3 in these types of situations though and simply re-engineer the buildings network anyways, but a layer2 setup is a pretty quick bandage to get things working.
04-04-2017 01:18 PM
I'm interested to know what your LLDP profile looks like. This is something I'm looking to implement as well.
04-04-2017 11:11 PM
LCAP Pre-negotiation doesn't work in all scenarios, this I can confirm. For example, we have have a Cat6500 core with two PA firewalls in vWire HA active/passive mode that connect upstream to 2x Nexus 5548 switches running VPC. Whenever the secondary PA tries to pre-negotiate the LACP ports (for subsecond failover), all traffic stops forwarding through both firewalls.
You may ask why we are not running in active/active HA, but that is a whole different problem (that could never be resolved by PA) hence why we are running active/passive.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
