Yes, firewall will create an aggregation port and assign an ip address, and connect to 2x layer 2 switches (Cisco 2960), which is access port, then the bottom core switch will create interface vlan with HSRP. So will there be any issue to ping from core switch to firewall aggregation port?

It is alright as long as the switches are in stack.

unfortunately these switches can't be stack, so the answer is can't setup as the diagram? 

No you can't because an etherchannel cannot span multiple separate switches.

You need the switches to be stacked as Rejohn says, or 4500/6500 running VSS or Nexus with vPC.

What are the core switches and do they match any of the above ?

Jon

Our core switch is not able to stack as well...So is there any way to create the redundancy in between the single firewall and 2 core switches? In case the one of the core switch i still can access to firewall..

I haven't done Checkpoints for a long time so don't know what they support.

For example the ASA firewall supports the concept of a redundant interface which means you can pair two interfaces together on the firewall but connect them to different switches.

Only one interface is active unless it fails and then the backup interface can take over.

Is there something similar on your firewall ?

Jon

Yes, in checkpoint they do have the similar setup which is called bonding interface with active-backup mode in GAIA OS. My checkpoint is using IPSO OS, and it is not support the bonding interface...

Hi  vovochka83,

I have similar problem too. We have a checkpoint firewall that I want to connect to two  switches and the LAN behind firewall should be learned through OSPF in the cisco switches.

I am thinking that the two switches should run HSRP and the gateway for the firewall is the HSRP Vip. However I also want to run the OSPF  between the firewalls and the Switches so that the switches know the LAN behind firewalls  via ospf.

appreciate your help in advance.