Hello, can you clarify how exactly your two HP 5400 zl switches are interconnected (if they are)? Were they deployed using the DT (Distributed Trunking) implementation used against downlink peers (downlink peers: distribution/access switches/hosts directly concurrently uplinked via usual LACP to both 5400 zl Switches, the DT pair instead uses DT-LACP on downlinks) or not? ...in other terms was the VRRP implementation deployed over two standalone switches with just an interlink used for exchanging VRRP advertisements or was the VRRP implementation depolyed along with Distrubuted-Trunking technology?
There is a mix of things (STP, VRRP, IP Routing, DT, etc.) to consider when your plan is to move away from a VRRP implementation because the routing duty will be migrated to an uplink device (Firewall/Firewall Cluster).
I'm not an HPE Employee
Can you explain how exactly the actual VRRP pair is connected to upstream firewall(s) and how are you planning to connect just one member of the actual VRRP pair (once the VRRP features will be removed and the routing turns back to just one switch of the two switches) to upstream new/old/rearranged firewall(s)? I mean...logically and physically.
As example we have an Active/Active Firewalls Cluster where each Firewall has its own IP Addresses (Node IPs, on both LAN facing side and WAN facing side) other than sharing Virtual IP Addresses (Common IPs, on both LAN facing side and WAN facing side)...so our Firewalls Cluster consumes 3 IP Addresses per logical interface (and we have many as you can image...).
Our Core is just single link uplinked to Firewall Cluster Node 1 and to Node 2, we just have a very simple Last Resort Route (0/0 via Next-Hop-IP) that points to the Common IP f relevant Firewall Cluster LAN interface...routing changes are rather immediate AFAIK.
I'm not an HPE Employee
Hi! we too have a cluster of Forcepoint NGFW 11052105, it is connected to a VSF Virtual Switching Framework (2 x Aruba 5400R zl2)...no LACP (yet). Let me think about your scenario a little bit more (our one is simplified by VSF which is able to permit us to avoid VRRP...but we don't use the IPv4 Routing on the VSF indeed the routing is not in charge of the VSF, it's actually done by another Aruba 5400R zl2 equipped with dual Management Modules working in NonStop Redudancy mode, that one is connected to our VSF via a LACP LAG...so our scenarios are not directly comparable).
One thing I'm pretty sure is that each NGFW appliance can form LAGs (Links Aggregation Groups) only on its ports...so no "Multi-Chassis LAGs" are possible...it means that each LAG should then terminate into a single switch (physical or logical, it doesn't matter)...your DT Pair is like (not equal) our VSF so it acts like a single logical switch and the LAG's member links coming from each NGFW can/could be spread across both DT Members (exactly as they can/could be spread across VSF Members)...thus the issue shouldn't be on the way your Firewall Cluster is physically downlinked to your routing/switching devices (but logically it's another story).
I'm not an HPE Employee