Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
591 Views 3 Replies Latest reply: Jul 9, 2013 3:00 PM by mtuma RSS
sidewind-rr Newcomer 4 posts since
Jul 5, 2013
Currently Being Moderated

Jul 5, 2013 7:57 AM

LACP

For design considerations I am considering enabling LACP between our core switches and McAfee firewalls.

 

From what I understand, (notefrom the Sidewinder 8_30 Admin Guide)

 

Before you enable an Aggregate group on the firewall, make sure your connected switches are properly

configured andsegmented. Switches with dynamic LACP enabled might place all LACP trafficin the

default VLAN. Thiscan create a traffic loop in your network. To avoid this problem, configureyour

switch for static LACP (Aggregate) groupsthat are assigned to different segmented VLANs.

 

Is dynamic LACP available and not encouraged because of this possible loop? Or is dynamic not supported and perhaps on a road map for futurerelease of McAfee firewalls?

 

 

Advantages over static configuration

Source: Wikipedia https://en.wikipedia.org/wiki/Link_aggregation#Link_Aggregation_Control_Protocol

*The Wikipedia source is from Dell.ca, so am I correct toassume the following statements are applicable to our McAfee SidewinderFirewalls?

 

Static LACP Failover occurs automatically: When a link fails and there is (for example) a mediaconverter between the devices, a peer system will not perceive any connectivity problems. With static link aggregation the peer would continue sending traffic down the link causing the connection to fail.

Dynamic configuration: The device can confirm that the configuration at the other end can handle linkaggregation. With Static link aggregation a cabling or configuration mistakecould go undetected and cause undesirable network behavior.

  • mtuma McAfee SME 314 posts since
    Nov 3, 2009
    Currently Being Moderated
    1. Jul 8, 2013 10:31 AM (in response to sidewind-rr)
    Re: LACP

    Hello,

     

    I had to do some research on my own about the differences between static and dynamic LACP.

     

    >Is dynamic LACP available and not encouraged because of this possible loop? Or is dynamic not supported and perhaps

    >on a road map for futurerelease of McAfee firewalls?

     

    I see no indication that dynamic LACP will not work with Firewall Enterprise, the warning only seems to indicate that a misconfiguration of the switch along with the use of dynamic LACP could possibly cause a loop.

     

    In fact, I have LACP with 10g links setup in my lab right now and I am fairly certain that it is dynamic LACP as the ports in the group communicate with each other in order to determine if they are up or not.

     

    Hope this helps.

     

    -Matt

  • mtuma McAfee SME 314 posts since
    Nov 3, 2009
    Currently Being Moderated
    3. Jul 9, 2013 3:00 PM (in response to sidewind-rr)
    Re: LACP

    I see no indication of any restrictions with regards to HA. When there are problems with using two features together (like HA and LACP), we typically document that in the product guide, as well as preventing you from configuring it in the GUI.

     

    -Matt

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points