Is it possible to implement the below topology? I see that there is a port channel going downstream to the firewalls. By any chance, are the firewalls running as one virtual entity? As we see here are 2 different downstream firewalls, and we cannot run the portchannel.
So if we cluster the FW01 and FW02 as a single entity and run the port channel in no LACP suspend mode, does that possibility exist?
Note:SW01 and SW02 are N5k
Peer KA link denotes peer keepalive link.
Peer link denotes vpc peer link.
Best Answer
I don't know what you mean "FW01 and FW02 as a single entity". In most scenarios, the FW cluster are composed by 2 independent firewall talking via 1 o 2 HA links where one keeps active and other are standby.
So, answering your question. Is this design correct? In my opinion, it's not valid. As @Ron stated in the comments, you can't port channel a device to two separate devices. If a firewall failover occurs, the redundancy will not work.