topic Re: Poor Man's HA in General Topics

Poor Man's HA

mrsold — Tue, 31 May 2011 19:09:04 GMT

Greetings,

We have a single PA-500 which we will be putting guest (non-critical) internet traffic behind. Currntly it is patched in as such:

eth1/1: L3 - Trusted

eth1/2: L3 - Untrusted

Is there anyway to leverage HA between interfaces on the same device? Reason being is if one of the up-stream switches fails, I'd like to not have to physically move cables to keep traffic "up". For example, for redundancy purposes, we have two access switches that I could plug into on the Untrusted side - right now I'm only using one.

Hope that makes sense...

Thanks!

Message was edited by: msoldner

Re: Poor Man's HA

KGC — Tue, 31 May 2011 19:19:28 GMT

I think Policy-Based Forwarding will do what you are looking for.

Re: Poor Man's HA

mrajdev — Tue, 31 May 2011 23:53:04 GMT

One thing to keep in mind in case of PBF you will be able to monitor a layer 3 address. So to detect the switch failure you might have to monitor a layer 3 address on the switch. Hope that helps.

Re: Poor Man's HA

mrsold — Tue, 09 Aug 2011 13:45:33 GMT

Can you use PBF with multiple interfaces on the same subnet?

EDIT: To be more specific.

We have a single PA which both upstream and downstream have dual (redundand) access switches. I currently have a single uplink to one of the switches on both sides. I'd like to have some redundancy so that if one of the two access switches dies, the PA can re-route traffic. However, if I'm unable to put the interfaces on each side in separate subnets, is that possible?

So can I do the following:

Trusted:

e1/1 - 192.168.1.1 /24 > access switch 1

e1/2 - 192.168.1.2 /24 > access switch 2

Untrusted:

e1/3 - 192.168.2.1 /24 > access switch 1

e1/4 - 192.168.2.2/24 > access switch 2

I'd like to have e1/1 and e1/3 track the ip on each of the access switches they are plugged into and if that heartbeat goes away, it will fail over to the other link.

Thanks.

Message was edited by: msoldner

Re: Poor Man's HA

ukhapre — Thu, 18 Aug 2011 23:25:10 GMT

Hello

You still have single point of failure i.e. single unit.
The above setup will provide reduandancy with switch ports going down.
Policy based forwarding can be an option but would lead to several complications in this case.

We do not support equal cost multi path routing. Hence unit will not allow commit the configuration with overlapping subnets/IPs to the interfaces.

Hope this helps.