topic Re: How Palo alto HA and Cisco HSRP work together ? in General Topics

How Palo alto HA and Cisco HSRP work together ?

perumalj — Fri, 26 Nov 2021 11:36:07 GMT

How Palo alto HA and Cisco HSRP work together ?

For example

===========

Here Palo alto HA is upstream devices ( lets consider PA1 and PA2 are in HA setup).

Cisco Switches are catalyst 6509 or nexus 5 or 6K ( SW1 and SW2)

SW1 is connected to PA 1 and SW2 is connected to PA2

in SW1 and SW2 HSRP is configured to maintain gateway high availability for both upstream ( PA firewalls) and downstream( end hosts)

Static routing is configured between switches and upstream Devices( PA firewalls). As per the routing , if there is any traffic coming from end hosts will be forwarded to the upstream( PA active firewall). likewise , for the return traffic from the firewall will be forwarded to active switch using HSRP virtual IP address and Mac address.

if we do manual HA failover between PA firewalls for some reasons and make PA2 now active but still going to keep SW1 active for HSRP like below

SW1( active for HSRP) ------>PA1 ( standby)

SW2( standby for HSRP)----->PA2(Active)

1. in this case how traffic flow would be ? whether it would create any impact to the traffic flow

2. Do we also need to do HSRP failover between switches when we do HA failover between PA firewalls ?

Kindly provide your suggestion on this

Re: How Palo alto HA and Cisco HSRP work together ?

PavelK — Fri, 26 Nov 2021 13:36:49 GMT

Thank you for posting question @perumalj

There is no need to change HSRP priority to make other switch active when there is a failover of PA firewalls. The scenario you described is still functional regardless which HSRP switch is active at the time.

In the case of this scenario:

SW1( active for HSRP) ------>PA1 ( standby)
SW2( standby for HSRP)----->PA2(Active)

Traffic from PA2 will depending on your Layer 2 topology find its default gateway (HSRP Active switch) in SW1 by using interlink between SW2 and SW1.

Traffic from end host to PA, will have this flow: End user's traffic will land on SW1 (HSRP Active switch), static route's next hop IP will be resolved to MAC address of PA2 (Active Firewall), based on MAC address table, it will find outgoing interface interlink between SW1 and SW2, then traffic will arrive PA2.

Kind Regards

Pavel

Re: How Palo alto HA and Cisco HSRP work together ?

perumalj — Fri, 26 Nov 2021 14:00:47 GMT

@PavelK , Thank you for your reply.

May I know what you have explained is same for both cisco catalyst and cisco nexus switches ?

Could also share if there is any document ?

Re: How Palo alto HA and Cisco HSRP work together ?

perumalj — Fri, 26 Nov 2021 15:05:54 GMT

I agree with your answer.

I will be looking forward to hearing your response for the following

May I know what you have explained is same for both cisco catalyst and cisco nexus switches ?

Could also share if there is any document ?

Re: How Palo alto HA and Cisco HSRP work together ?

PavelK — Fri, 26 Nov 2021 23:14:29 GMT

Thank you for reply @perumalj

The behavior will be the same regardless you are going to use Catalyst or Nexus. The only difference will be if you enable vPC on Nexus side and configure port-channel on PA side, then HSRP will act as active active.

I have not found any document that exactly explains this and there is no best practice/design guide for PA <-> Nexus/Catalyst, however I have this deployment in several locations using Nexus or Catalyst depending on site and failover on PA works fine without any changes to HSRP.

Kind Regards

Pavel