Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
844
Views
5
Helpful
6
Replies

LACP Question

joestalone
Level 1
Level 1

‎01-26-2019 08:57 AM

I was given the attached design to implement a pair of PA 5050's between the user segment and the data center. Can anyone tell me if this is a valid LACP connection? I have never seen it done without a Stacking or VPC link on the other end of the port-channels.  I am going to try to set it up in our lab but i was hoping someone could tell me if it is even valid and if you would need specific code to make it work. The PA's would be routing in active/standby not in V-wire, the 7k’s do have a VPC link and the 4500’s are VSS. The 4500x's and the 7k's are directly connected today. 

 

 

1 person had this problem
Labels:
Preview file
58 KB
0 Helpful
6 Replies 6

ngkin2010
Level 7
Level 7

‎01-26-2019 09:26 AM

Hi.

What is the purpose to setup LACP if the firewall (PA 5050) are in active/passive operation mode?
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎01-26-2019 09:31 AM

Can you confirm is Nexus 7K they are connected each other ? or they seperate devices ?

 

if they are in vPC, you can deploy enhanced vPC and support clustering, not sure palo(not remmeber myself correctly - top of my head they do support cluster) have that feature like  ASA support.

 

High level if 7K's connected each other and 4K's connected each other. HLD level is good.

 

where is the users connected ? how is network flow towards Internet (if this internet edge FW), or is these PA are internal FW ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

joestalone
Level 1
Level 1
In response to balaji.bandi

‎01-26-2019 09:42 AM

The users are connected to the 4500x’s through 3850 floor switches.

The user firewall is internal only. The edge firewall currently hangs off the 7k’s. The users will have to go through 2 firewalls to get to the internet in this design.

 

thank you

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to joestalone

‎01-26-2019 10:50 AM

So these are inernet edge FW, how is you exiting system working ? do you have any topology of that.

 

if you have aleady connected like below setup ;

 

Access Switch (3850)---4KSwitch----Nexus7K Switches ---Internet

 

then instead of introucing in the middle. you can have all the connected to nexus 7K inside/ outside and DMZ (if the requirement there) with the segement of VLANs or port-channels.

 

like below :

 

Access Switch (3850)---4KSwitch----Nexus7K Switches --PA---Internet

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

joestalone
Level 1
Level 1
In response to balaji.bandi

‎01-26-2019 11:13 AM

Today the edge firewall does just hangs off of the 7k’s. Just like you have it described above. I like that idea and not sure why we did not think of that. If I understand correctly we would just add the user segment existing edge firewall sort of like a user DMZ and not introduce the 5050’s in the middle.

 

Thank you for your response.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to joestalone

‎01-26-2019 01:46 PM

That is the best i can think of. you can do l2/ l3 segmentation.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents