I’m trying to determine the best way to connect multiple links from a L3 core stack to an edge firewall as part of a network refresh. As it stands, there’s an SVI on the core and an IP in same subnet on the firewall, with the switchport connected to the firewall untagged (access port) on the corresponding SVI VLAN. This VLAN is also used for other devices, so that link between core and firewall is part of a larger broadcast domain. The firewall is already configured as an L3 interface, so it simply ignores that traffic, but it seems messy.
I see three avenues.
1) L2 EtherChannel - uses SVI & untagged on the switch port (current setup except add another link). Unclear whether this will actually work with LACP since one end is L2 and one L3. 2) L3 etherchannel + routed ports + re-IP firewall to core interfaces with a /30. seemingly better than L2 since it removes all STP related concerns and removes that link from any broadcast domain. 3) ECMP - although interesting, our team is small and I don’t see this being the simplest approach. Also unclear how this works on both the firewall appliance and stack.
I am pretty much 100% on option 2 but have a couple questions:
-
can a Cisco stack (stackwise virtual) support l3 LACP etherchannel? Read somewhere LACP is not supported on a stack using l3 routed ports (no switchport config). Must be static?
-
I read that a L3 switch routed port just uses an SVI under the hood. So is there any actual benefit to using this routed port method, outside of it simply doing some background configs for me like disabling STP? Is it the same as creating a dedicated VLAN and SVI and disabling STP? Or does a routed port get handled differently from a hardware perspective? I know some devices use a dedicated chip vs CPU for certain tasks, such as EdgeRouters. I recall reading something along those lines for Cisco regarding ASIC.
Appreciate any guidance!
No comments:
Post a Comment