https://live.paloaltonetworks.com/t5/next-generation-firewall/active-passive-connection-with-cisco-stack-switches/m-p/513232#M316 <P>Hello</P> <P>&nbsp;</P> <P>I would like to have confirmation. I need to connect my Palo Alto cluster firewall (active/passive) to a Cisco stack (with 2 members).&nbsp;</P> <P>If I want a fully redundancy, I need to create, on a each firewall, an aggregate with 2 interfaces and each interface is connected on a port on each Cisco member ? Are you agree with my schema bellow ?&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JeromeC_0-1661760904358.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43403iE2D65F8E5A6DB088/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="JeromeC_0-1661760904358.png" alt="JeromeC_0-1661760904358.png" /></span></P> <P>BR</P> <P>Jerome</P> Mon, 29 Aug 2022 08:15:31 GMT JeromeC 2022-08-29T08:15:31Z https://live.paloaltonetworks.com/t5/next-generation-firewall/active-passive-connection-with-cisco-stack-switches/m-p/513232#M316 <P>Hello</P> <P>&nbsp;</P> <P>I would like to have confirmation. I need to connect my Palo Alto cluster firewall (active/passive) to a Cisco stack (with 2 members).&nbsp;</P> <P>If I want a fully redundancy, I need to create, on a each firewall, an aggregate with 2 interfaces and each interface is connected on a port on each Cisco member ? Are you agree with my schema bellow ?&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JeromeC_0-1661760904358.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43403iE2D65F8E5A6DB088/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="JeromeC_0-1661760904358.png" alt="JeromeC_0-1661760904358.png" /></span></P> <P>BR</P> <P>Jerome</P> Mon, 29 Aug 2022 08:15:31 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/active-passive-connection-with-cisco-stack-switches/m-p/513232#M316 JeromeC 2022-08-29T08:15:31Z https://live.paloaltonetworks.com/t5/next-generation-firewall/active-passive-connection-with-cisco-stack-switches/m-p/513233#M317 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/229503">@JeromeC</a></P> <P>&nbsp;</P> <P>this connection design is functional. Cisco switches in stack act like a single switch, so on switch side it is cross stack ether channel and Palo Alto Firewall will see its AE as if it is connected to a single switch.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> <P>&nbsp;</P> Mon, 29 Aug 2022 08:30:56 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/active-passive-connection-with-cisco-stack-switches/m-p/513233#M317 PavelK 2022-08-29T08:30:56Z https://live.paloaltonetworks.com/t5/next-generation-firewall/active-passive-connection-with-cisco-stack-switches/m-p/513234#M318 <P>Hello</P> <P>I'm not sure to understand. It's not necessary to have one physical connection from active FW to each Cisco member to keep the communication up even if the Cisco member where the phiscal cable is connected is down ? Even in this case, the communication between firewall and equipments connected on the stack will continue to be OK ?</P> <P>&nbsp;</P> <P>BR</P> Mon, 29 Aug 2022 08:37:21 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/active-passive-connection-with-cisco-stack-switches/m-p/513234#M318 JeromeC 2022-08-29T08:37:21Z https://live.paloaltonetworks.com/t5/next-generation-firewall/active-passive-connection-with-cisco-stack-switches/m-p/513283#M320 <P>Hello,</P> <P>Yes this should work for you. Just could cause a delay in failing over since the MAC of the Firewall changes but the IP doesnt.</P> <P>Regards,</P> Mon, 29 Aug 2022 19:18:25 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/active-passive-connection-with-cisco-stack-switches/m-p/513283#M320 OtakarKlier 2022-08-29T19:18:25Z https://live.paloaltonetworks.com/t5/next-generation-firewall/active-passive-connection-with-cisco-stack-switches/m-p/513319#M326 <P>Yes, I have used this topology frequently when setting up new firewalls. On the firewall you will want to set up a link monitoring group and set failover to happen only when both links to the switches fail.</P> Mon, 29 Aug 2022 22:47:56 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/active-passive-connection-with-cisco-stack-switches/m-p/513319#M326 tcasw86 2022-08-29T22:47:56Z https://live.paloaltonetworks.com/t5/next-generation-firewall/active-passive-connection-with-cisco-stack-switches/m-p/590587#M3357 <P>Hi, thanks for the info<BR />So if I have A/P palo alto setup. each firewall with single down connection to core switch cluster. do I need a link monitoring group or a port channel from each firewall to each core switch for that or a single link would do since AP firewall and core switches are acting as one&gt;?</P> Thu, 27 Jun 2024 08:34:02 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/active-passive-connection-with-cisco-stack-switches/m-p/590587#M3357 Zaid89 2024-06-27T08:34:02Z