topic Re: HA Links Over DWDM in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/ha-links-over-dwdm/m-p/1235764#M6185 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/243301">@FrankRocks</a>&nbsp;wrote:<BR /><P>Currently have a couple pairs of Palos (internal and external), with an HA pair over at a remote location. These 2 sites at connected via redundant DWDM devices (SmartOptics to be precise). Currently the HA links are just connected to a core switch, then passes to the other site over a stretched VLAN. Just seeing if it'd be wise to just move these over via the DWDM instead of via a L2/3 switch. Open to comments on pros and cons of both</P><HR /></BLOCKQUOTE><P>Hello,</P><P>Both methods of connecting your Palo Alto HA links have pros and cons. Using a stretched VLAN over your core switches, as you are now, offers a simple and potentially cost-effective solution if you already have the infrastructure. It allows for Layer 2 failover, which is a key requirement for the HA2 (data) link in an active/passive configuration. However, this approach can introduce complexity and a single point of failure if your core switches or the stretched VLAN itself experiences an issue. Moving the HA links directly to the DWDM devices, on the other hand, provides a more direct and dedicated path, which could lead to lower latency and a more robust connection for the critical HA communication. This can also remove the core switches from the HA path, potentially simplifying troubleshooting and reducing the blast radius of a network event. The main drawback might be the cost and complexity of the DWDM configuration itself and ensuring the HA links are properly provisioned and isolated on that platform. The choice depends on your specific needs for latency, budget, and network resilience.</P> Mon, 11 Aug 2025 09:29:42 GMT pearl44snow 2025-08-11T09:29:42Z HA Links Over DWDM https://live.paloaltonetworks.com/t5/next-generation-firewall/ha-links-over-dwdm/m-p/1235735#M6182 <P>Currently have a couple pairs of Palos (internal and external), with an HA pair over at a remote location. These 2 sites at connected via redundant DWDM devices (SmartOptics to be precise). Currently the HA links are just connected to a core switch, then passes to the other site over a stretched VLAN. Just seeing if it'd be wise to just move these over via the DWDM instead of via a L2/3 switch. Open to comments on pros and cons of both</P> Sat, 09 Aug 2025 20:36:58 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ha-links-over-dwdm/m-p/1235735#M6182 FrankRocks 2025-08-09T20:36:58Z Re: HA Links Over DWDM https://live.paloaltonetworks.com/t5/next-generation-firewall/ha-links-over-dwdm/m-p/1235764#M6185 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/243301">@FrankRocks</a>&nbsp;wrote:<BR /><P>Currently have a couple pairs of Palos (internal and external), with an HA pair over at a remote location. These 2 sites at connected via redundant DWDM devices (SmartOptics to be precise). Currently the HA links are just connected to a core switch, then passes to the other site over a stretched VLAN. Just seeing if it'd be wise to just move these over via the DWDM instead of via a L2/3 switch. Open to comments on pros and cons of both</P><HR /></BLOCKQUOTE><P>Hello,</P><P>Both methods of connecting your Palo Alto HA links have pros and cons. Using a stretched VLAN over your core switches, as you are now, offers a simple and potentially cost-effective solution if you already have the infrastructure. It allows for Layer 2 failover, which is a key requirement for the HA2 (data) link in an active/passive configuration. However, this approach can introduce complexity and a single point of failure if your core switches or the stretched VLAN itself experiences an issue. Moving the HA links directly to the DWDM devices, on the other hand, provides a more direct and dedicated path, which could lead to lower latency and a more robust connection for the critical HA communication. This can also remove the core switches from the HA path, potentially simplifying troubleshooting and reducing the blast radius of a network event. The main drawback might be the cost and complexity of the DWDM configuration itself and ensuring the HA links are properly provisioned and isolated on that platform. The choice depends on your specific needs for latency, budget, and network resilience.</P> Mon, 11 Aug 2025 09:29:42 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ha-links-over-dwdm/m-p/1235764#M6185 pearl44snow 2025-08-11T09:29:42Z