I am looking to increase redundancy at a site by implementing HA with firewall. Currently only have single deployed but have purchased a second & starting to work on the connectivity. The firewalls are FPR1140's, while the switches are CBS350-24XT's
We currently use MS Hyper-V SET (Switch Embedded Team) to connect two server interfaces to our switches. In my testing I have found that if a server connection is lost, generally within 2-3 pings, everything is updated between the switch & server & connectivity is re-established with on the other interface.
Since the firewalls run in an active/standby arrangement, my thought was I could create a port channel on the firewall. Two interfaces going to the "primary path" switch, with a third interface in the channel going to the "secondary path" switch. On each switch, I then have a corresponding LAG member config. The two switches have their own LAG between them to allow traffic to transit.
Switch 1 will be the STP root bridge & Fast Link set to auto. This seems like would give us good resiliency if losing an interface, or entire network element. There looks to be a backup path that can be utilized once the LACP & STP protocols reconverge.
If FW1 fails, path should be SW1 > FW2
If SW1 fails, path should be SW2 > FW1
If SW1 & FW1 are both down, path should be SW2 > FW2
And vice versa.
Anyone have thoughts on this approach? I am trying to design around a network element SPOF.