topic Re: Palo Alto Physical Connections in HA - Best Practice in General Topics

Palo Alto Physical Connections in HA - Best Practice

bilalajaznawaz — Thu, 17 Sep 2015 18:27:44 GMT

Hi Team,

I am after some guidance on how to deploy a pair of PA3020's using vwire. Upstream connects to ASA in L3 mode and downstream connects to Nexus5K.

Some one told me to plug in PA01 to ASA01 and PA02 to ASA02, likewise for N5K's. Is this the best way to do it? I thought it would be better to have some sort of switching devices to have the connections coming in to it.

Thank you

Bilal

Re: Palo Alto Physical Connections in HA - Best Practice

OtakarKlier — Fri, 18 Sep 2015 16:30:27 GMT

Hello,

This is just my opionon, however I rty to leave switches out of play since there can be issues with STP or loops. I try and strick with layer 3 and have a routing protocol handle the load.

Regards,

Re: Palo Alto Physical Connections in HA - Best Practice

pulukas — Sat, 19 Sep 2015 15:55:59 GMT

With your Palo Alto in v-wire mode, I would directly connect to the two ASA devices. This provides simplest set of failover scenario planning.

In this case you will need to be sure that your ASA cluster can detect a failure of your downstream Palo Alto and failover to the secondary node.

If this is not easily done, then setting up vlans forthe upstream and downstream PA connections would be the best option. If your run the Palo Alto in active/passive mode you won't need to worry about STP as the passive node interfaces won't pass traffic. But if you do run active/active then STP will need to be setup for all the links.

Re: Palo Alto Physical Connections in HA - Best Practice

bilalajaznawaz — Mon, 21 Sep 2015 06:33:34 GMT

Hey, nice to see a familliar name from Juniper forums too 🙂

The problem with the ASA's is lets say upstream interface was to go down, the ASA would not reflect that on all other interfaces, but would keep them up but failover. In this case if we have our Palo's running active passive they would not be aware of the failover between ASA's. As a result, the passive Palo will be receiving the traffic. Active active works fine in this scenario, but not fulfilling a requirement of active / passive.

Hence please tell me what you think of this:

ASA's connected to a switch stack, configured access ports in one single VLAN, and likewise Palo Alto's in this VLAN. Then downstream Palo's straight in to Nexus 5K's. I won't have to worry about STP for this scenario.

In my mind this works, but obviously want your opinions too.

Thank you

Bilal

Re: Palo Alto Physical Connections in HA - Best Practice

OtakarKlier — Mon, 21 Sep 2015 17:13:57 GMT

The PAN can perform path monitoring, so if it see's that iot cannot reach an IP upstream of the ASA, it would also failover.

Re: Palo Alto Physical Connections in HA - Best Practice

bilalajaznawaz — Mon, 21 Sep 2015 18:46:44 GMT

even when using vwire?

Re: Palo Alto Physical Connections in HA - Best Practice

OtakarKlier — Mon, 21 Sep 2015 18:59:33 GMT

While i have never setup path monitoring for a vwire, there is an option to do so.