LACP Negotiation on Switches Fails After a Firewall Is Deployed Between the Switches in Transparent Mode Because Firewall Configuration Is Not Adjusted Based on Switch Configuration

Publication Date:  2015-07-02 Views:  562 Downloads:  0
Issue Description
As shown in Figure 4-4, dynamic LACP runs between two or more pairs of interfaces on switches. After a firewall is deployed between the switches in transparent mode (corresponding interfaces on the firewall are bundled into Eth-Trunk interfaces), LACP negotiation fails. If LACP runs between only one pair of interfaces on the switches, the negotiation succeeds.

Figure 4-3 Networking diagram


Handling Process
1. Configure dynamic LACP on the switches and Eth-Trunk on the firewall (dynamic negotiation fails).

Switch configuration:




LACP negotiation status and firewall configuration:



The switch LACP negotiation status indicates that LACP negotiation between switches fails. The root cause is that LACP packets are multicast packets. After the Eth-Trunk interface on the firewall receives an LACP packet, it randomly sends the packet through one member interface. Therefore, the sent and received LACP packets may be different.

2. Configure dynamic LACP on the switches and add the pairs of upstream and downstream interfaces on the firewall to different VLANs.
Switch configuration:




LACP negotiation status and firewall configuration:



The switch LACP negotiation status indicates that LACP negotiation between switches succeeds. As two VLANs are configured on the firewall, forming a logical link, sent and received LACP packets are consistent.

3. Configure static LACP on the switches and Eth-Trunk interfaces as upstream and downstream interfaces on the firewall.
Switch configuration:




LACP negotiation status and firewall configuration:

Root Cause
Dynamic LACP negotiation packets transmitted between switches are in a fixed format (fixed destination MAC address). The firewall directly forwards the LACP packets without creating a MAC forwarding table, similar to BPDU processing. When the firewall broadcasts the packets through an Eth-Trunk interface, the packets sent from one switch are different from those received by the other. Consequently, LACP negotiation fails.
Suggestions
When LACP runs between switches and a firewall, adjust the firewall interface configuration based on the switch configuration. Two configuration modes are available: static and dynamic.
  • If static LACP is configured on the switches, configure Eth-Trunk on the firewall.
  • If dynamic LACP is configured on the switches, configure VLANs on the firewall to form a logical link for consistent sent and received LACP packets.

END