Configuring the switch

Since the firewall is in active mode, the switch can remain in passive mode.

The detailed configuration in this example assumes the user's familiarity with the vendor's command line interface.

Only the link aggregation setup will be covered.





Switch(config)# interface range Gi 0/23-24


Switch(config-if-range)# channel-group 1 mode passive


Switch(config-if-range)# channel-protocol lacp


ProCurve(config)# trunk 23-24 trk1 lacp

Configuration of the aggregation in passive LACP mode on ports 23 and 24 in this example.


Switch(config-if-range)# exit


Switch(config)# interface Port-channel 1


Switch(config-if)#switchport mode trunk


Switch(config-if)#switchport trunk allowed vlan 2-10

ProCurve(config)# vlan 2 tagged trk1


ProCurve(config)# vlan 3 tagged trk1




ProCurve(config-vlan)# vlan 10 tagged trk1


Optional commands allowing 802.1q tagging on the logical switch-router link, if VLANs 2 to 10 are used in this example.



In order to avoid layer 2 issues (instability of the MAC address table, broadcast storm, etc.), configure the aggregate on the firewall and on the switch before interconnecting both appliances.



  • After ensuring that the aggregate is running properly (by interrupting the link for example), you will need to back up the configuration of the switch.
  • The naming and numbering of interfaces vary according to the chosen switch model. Refer to the vendor's user guide if necessary.
  • The Port-Security feature found on Cisco and HP switches is not compatible with LACP, and should not be configured on any of the members in the aggregate.