After transparent mode accessed,lacp negotiate unsuccessful

Publication Date:  2012-09-19 Views:  224 Downloads:  0
Issue Description
network topology
1/0/47|-------------------|0/0/0   0/0/2|-------------------|1/0/47
SW1|----------------- |    USG5300   |-------------------|SW2
1/0/48----------------|0/0/1   0/0/3|-------------------|1/0/48
1 The protocol between switches is dynamic lacp(at least 2 couple of interface run lacp protocol),after access in transparent mode fire wall(interface corresponding firewall binding eth-trunk),lacp negotiate was unsuccessful,if switchs only has one interface run lacp,means  transparent mode fire wall negotiate was successful
Alarm Information
none
Handling Process
1 when configure lacp of switch,firewall configure eth-trunk dynamic negotiate was unsuccessful 
we can see from negotiation estate of switch that,the ultimately reason of lacp negotiate was
not successful is that the message format is multicast message. So after the eth-trunk interface of firewall received this multicast message,it sent this message from one of member interface,and this message is sending randomly,couldn’t ensure lacp messages from switch interface are all the same.   
2 configure lacp of switch,firewall upstream and downstream interface are divided to the same vlan,and different upstream and downstream interface belong to different vlan

   We can see from lacp negotiation estate that,lacp negotiation of switchs is successful,because firewall divide 2 vlans,form a logical physical links,ensure sent and received lacp of interfaces in 2 switchs are accorded
3 configure lacp of switch,firewall upstream and downstream configure eth-trunk
Root Cause
The lacp of switch is run through negotiation messages,the negotiation message has it own format. The handle process of lacp message is the same as bpdu handle process(not built mac forwarding table and flood it directly),when firewall configure eth-trunk interface,firewall will flood lacp out,make lacp of both ends of switchs sent or receive negotiate was unsuccessful
Suggestions
When configure lacp between switch and firewall,firewall can configure an eth-trunk,if switch use dynamic lacp configure Link Aggregation,firewall need to divide several vlans,form a logical physical links,ensure sent and received lacp of interfaces in 2 switchs are accorded

Aggregation interface of switch can be divided different vlans,upstream and downstream divide to a same vlan,between upstream and downstream divide to different vlans

END