https://live.paloaltonetworks.com/t5/general-topics/lacp-on-passive-palo-alto/m-p/553301#M112517 <P>Seb., Agreed, I guess I wasn't thinking clearly this morning. I'm going back to your design/point. Thanks!</P> <P>&nbsp;</P> <P>Mike</P> Thu, 10 Aug 2023 16:15:39 GMT michaelmertens 2023-08-10T16:15:39Z https://live.paloaltonetworks.com/t5/general-topics/lacp-on-passive-palo-alto/m-p/553274#M112514 <P>I am planning a new site and want to make sure my detailed design will not be a problem. I will have two PA-440s in Active/Passive High Availability mode. These will connect to a stack of Cisco C9300s. I will have an LACP port-channel connecting one port of each Cisco switch (ports g1/0/1 and g2/0/1 in the stack to PAN Eth 1 on act and PAN Eth 2 on Passive....As we do not do Path or Link monitoring for HA, I am trying to avoid losing a Cisco switch in the stack and black-holing to a passive PAN, or the active PAN not having a functional switch to forward to. Therefore, I'm planning a LACP channel to span both Cisco switches in the stack but one of LACP members goes to Pt 1 of the active PAN and the other member goes to the passive PAN. (Please see diagram).<BR /><BR />My question: The passive PAN does NOT send LACP packets- correct? The PAN's passive member in the cluster DOES provide ethernet carrier on the port, I want to make sure it does NOT send LACPDUs, and the Cisco switch sees it as an active member of the port-channel and forwards packets to a passive PAN...I just want to make sure...<BR /><BR />Thanks!!</P> <P>&nbsp;</P> <P>Mike</P> Thu, 10 Aug 2023 13:59:05 GMT https://live.paloaltonetworks.com/t5/general-topics/lacp-on-passive-palo-alto/m-p/553274#M112514 michaelmertens 2023-08-10T13:59:05Z https://live.paloaltonetworks.com/t5/general-topics/lacp-on-passive-palo-alto/m-p/553277#M112515 <P>Hi there,&nbsp;</P> <P>Why would you connect half of your port-channel to a device that is not going to pass traffic?</P> <P>The typical way of connecting a active/passive HA pair to a stack of switches would be to take two ports from each firewall and connect them across the switch stack:</P> <P>&nbsp;</P> <P>PA1: Eth1 -&gt; gi1/0/1&nbsp; - Po1</P> <P>PA1: Eth2 -&gt; gi2/0/1&nbsp; - Po1</P> <P>PA2: Eth1 -&gt; gi1/0/2&nbsp; - Po2</P> <P>PA2: Eth2 -&gt; gi2/0/2&nbsp; - Po2</P> <P>&nbsp;</P> <P>You would then configure pre-negotiation on the passive port-channel to ensure sub-second failover.</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/lacp-and-lldp-pre-negotiation-for-activepassive-ha" target="_blank">LACP and LLDP Pre-Negotiation for Active/Passive HA (paloaltonetworks.com)</A></P> <P>&nbsp;</P> <P>cheers,</P> <P>Seb.</P> <P>&nbsp;</P> Thu, 10 Aug 2023 14:17:49 GMT https://live.paloaltonetworks.com/t5/general-topics/lacp-on-passive-palo-alto/m-p/553277#M112515 seb_rupik 2023-08-10T14:17:49Z https://live.paloaltonetworks.com/t5/general-topics/lacp-on-passive-palo-alto/m-p/553301#M112517 <P>Seb., Agreed, I guess I wasn't thinking clearly this morning. I'm going back to your design/point. Thanks!</P> <P>&nbsp;</P> <P>Mike</P> Thu, 10 Aug 2023 16:15:39 GMT https://live.paloaltonetworks.com/t5/general-topics/lacp-on-passive-palo-alto/m-p/553301#M112517 michaelmertens 2023-08-10T16:15:39Z