LAG created on an MS225 not working with a FPR1140 with sub-interfaces on its port-channel

ChickenDinner
Just browsing

LAG created on an MS225 not working with a FPR1140 with sub-interfaces on its port-channel

Hi!

 

I am having trouble creating a LAG on an MS225 switch and having it work with a Cisco Firepower 1140 firewall that has a port channel configured with sub-interfaces. I can create the LAG on the switch, and port channel on the firewall, but the two do not seem to work with each other when I create a sub-interface on the firewalls port channel with an IP and VLAN defined; there is no connectivity essentially.

 

The only way it works if I forgo creating a sub-interface on the firewalls port-channel and just configure an IP address on the port-channel itself on the firewall. This is how it's currently set up and this works, but not how I want it as I need to have those sub-interfaces to cater for various networks.

 

Here's an image of the current configuration - port-channel1 works fine as the IP address is defined on the channel itself and is on the default VLAN (1). If I were to remove the IP from the port-channel itself and add a sub-interface to it and configure that with an IP and the relevant VLAN that's where I run into the issue of no connectivity. Port-channel2 in the image is one I've set up for testing, and is essentially what port-channel1 looked like when I ran into this issue. 

 

ChickenDinner_0-1628702378920.png

 

 

LACP mode on the firewall for the port-channel is configurable and is either "active" or "on". For both you can specify an active MAC address and standby MAC address. There are no other LACP-specific configuration options. I noticed on the switch there's no such variable you can configure beyond adding X number of ports to a LAG.

 

LACP mode on the firewalls port-channel is currently set to "Active" and this is the case for the currently working condition and the preferred but not working condition. 

 

Other than the configurable options for LACP on the port-channel of the firewall, am I missing anything obvious? Lack of configurable options on the switch only really gives me the limited LACP settings on the firewall to consider. Not sure what else I can consider.

 

If it helps - the LAG on the switch (it's a stack of MS225's, 2 of them) is spread across the stack. 1 LAG of 2 ports (39 on each switch) go to one firewall, and 1 LAG of 2 ports (40 on each switch) go to the other firewall (HA pair of FPR 1140's)

3 REPLIES 3
Inderdeep
Kind of a big deal
Kind of a big deal

@ChickenDinner : Did you do that 

When configuring LACP between Meraki MS and Catalyst, it may be advantageous on the Catalyst switch to disable the feature "spanning-tree etherchannel guard misconfig" if there are issues with getting the LACP aggregate established. 

Inderdeep_0-1628704080275.png

https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Switch_Ports#Link_Aggregation 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com

Hi 

 

Not sure how that applies, as there's no Catalyst switch; just the MS225 and a Firepower 1140 firewall.

 

Unless you're talking about applying similar to the port-channel at a CLI level on the firewall? (I use the gui for the firewall, via an FMC management platform)

Hi.

 

Did you ever resolve this issue?  I have the exact same issue here between a NGWF 1010 and a pair of MS250's.  No traffic whatsoever across the etherchannel subinterfaces.

 

Thanks!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels