3 Replies Latest reply: Jul 9, 2013 3:00 PM by mtuma RSS



      For design considerations I am considering enabling LACP between our core switches and McAfee firewalls.


      From what I understand, (notefrom the Sidewinder 8_30 Admin Guide)


      Before you enable an Aggregate group on the firewall, make sure your connected switches are properly

      configured andsegmented. Switches with dynamic LACP enabled might place all LACP trafficin the

      default VLAN. Thiscan create a traffic loop in your network. To avoid this problem, configureyour

      switch for static LACP (Aggregate) groupsthat are assigned to different segmented VLANs.


      Is dynamic LACP available and not encouraged because of this possible loop? Or is dynamic not supported and perhaps on a road map for futurerelease of McAfee firewalls?



      Advantages over static configuration

      Source: Wikipedia https://en.wikipedia.org/wiki/Link_aggregation#Link_Aggregation_Control_Protocol

      *The Wikipedia source is from Dell.ca, so am I correct toassume the following statements are applicable to our McAfee SidewinderFirewalls?


      Static LACP Failover occurs automatically: When a link fails and there is (for example) a mediaconverter between the devices, a peer system will not perceive any connectivity problems. With static link aggregation the peer would continue sending traffic down the link causing the connection to fail.


      Dynamic configuration: The device can confirm that the configuration at the other end can handle linkaggregation. With Static link aggregation a cabling or configuration mistakecould go undetected and cause undesirable network behavior.

        • 1. Re: LACP



          I had to do some research on my own about the differences between static and dynamic LACP.


          >Is dynamic LACP available and not encouraged because of this possible loop? Or is dynamic not supported and perhaps

          >on a road map for futurerelease of McAfee firewalls?


          I see no indication that dynamic LACP will not work with Firewall Enterprise, the warning only seems to indicate that a misconfiguration of the switch along with the use of dynamic LACP could possibly cause a loop.


          In fact, I have LACP with 10g links setup in my lab right now and I am fairly certain that it is dynamic LACP as the ports in the group communicate with each other in order to determine if they are up or not.


          Hope this helps.



          • 2. Re: LACP

            Thank you Matt (mtuma) this does help.


            Should I have any design concerns for HA (Active/Active) of Firewall Enterprise coordinating with LACP?




            Message was edited by: sidewind-rr on 7/9/13 10:28:24 AM CDT
            • 3. Re: LACP

              I see no indication of any restrictions with regards to HA. When there are problems with using two features together (like HA and LACP), we typically document that in the product guide, as well as preventing you from configuring it in the GUI.