topic BGP Active/Passive vs Active/Active argument in General Topics https://live.paloaltonetworks.com/t5/general-topics/bgp-active-passive-vs-active-active-argument/m-p/69641#M40352 <P>I'm running into an argument with our carrier for our 2 ISP links that I need to clarify.</P> <P>&nbsp;</P> <P>We currently have two 3050's with 2 ISP links coming into both devices in an Active/Passive configuration using PBR's to route traffic. &nbsp;We are adding a third ISP and dropping the slowest link, followed by implementing a BGP configuration with both ISP's.</P> <P>&nbsp;</P> <P>Now I was all gungho to move forward with our current Active/Passive setup by adding BGP peering and now our carrier is telling us we cannot do that because it could cause a broadcast storm. &nbsp;I'm being told that flipping between the Active/Passive firewalls could cause a flood because 1 IP address for 2 MAC addresses is bad practice. &nbsp;Maybe I'm not understanding this well, but I thought active/passive is like literally unplugging a switch port and moving it.</P> <P>&nbsp;</P> <P>Our carrier wants us to move to Active/Active with 2 IP addresses per ISP; one for each PAN-3050 peer.</P> <P>&nbsp;</P> <P>I really do not see the purpose of moving to Active/Active as each PAN would then have an active BGP peer at a time, so anytime I perform maintence I would be bringing down one of the peers. &nbsp;In our environment Active/Passive fits in&nbsp;great with our maintenance plans.</P> <P>&nbsp;</P> <P>Any extra information on BGP experiences would be greatly appreciated.</P> Fri, 18 Dec 2015 14:23:13 GMT KyleFreise 2015-12-18T14:23:13Z BGP Active/Passive vs Active/Active argument https://live.paloaltonetworks.com/t5/general-topics/bgp-active-passive-vs-active-active-argument/m-p/69641#M40352 <P>I'm running into an argument with our carrier for our 2 ISP links that I need to clarify.</P> <P>&nbsp;</P> <P>We currently have two 3050's with 2 ISP links coming into both devices in an Active/Passive configuration using PBR's to route traffic. &nbsp;We are adding a third ISP and dropping the slowest link, followed by implementing a BGP configuration with both ISP's.</P> <P>&nbsp;</P> <P>Now I was all gungho to move forward with our current Active/Passive setup by adding BGP peering and now our carrier is telling us we cannot do that because it could cause a broadcast storm. &nbsp;I'm being told that flipping between the Active/Passive firewalls could cause a flood because 1 IP address for 2 MAC addresses is bad practice. &nbsp;Maybe I'm not understanding this well, but I thought active/passive is like literally unplugging a switch port and moving it.</P> <P>&nbsp;</P> <P>Our carrier wants us to move to Active/Active with 2 IP addresses per ISP; one for each PAN-3050 peer.</P> <P>&nbsp;</P> <P>I really do not see the purpose of moving to Active/Active as each PAN would then have an active BGP peer at a time, so anytime I perform maintence I would be bringing down one of the peers. &nbsp;In our environment Active/Passive fits in&nbsp;great with our maintenance plans.</P> <P>&nbsp;</P> <P>Any extra information on BGP experiences would be greatly appreciated.</P> Fri, 18 Dec 2015 14:23:13 GMT https://live.paloaltonetworks.com/t5/general-topics/bgp-active-passive-vs-active-active-argument/m-p/69641#M40352 KyleFreise 2015-12-18T14:23:13Z Re: BGP Active/Passive vs Active/Active argument https://live.paloaltonetworks.com/t5/general-topics/bgp-active-passive-vs-active-active-argument/m-p/69673#M40356 <P>Hi,</P> <P>&nbsp;</P> <P>First of all the mac addres in a HA cluster &nbsp;are virtual&nbsp;so it'll be 1 ip per 1 virtual mac address,&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Calculate-a-Virtual-MAC-Address/ta-p/55573" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Calculate-a-Virtual-MAC-Address/ta-p/55573</A></P> <P>During the failover the passive firewall send gratuitous arp that updates the mac table in the switches, but the mac address is the same so there's not need to clear the arp table in the layer 3 devices or your bgp peers.</P> <P>Also its possible to achieve a subsecond&nbsp;failover in bgp active/passive if you enable graceful restart on both BGP peers,</P> <P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/Unable-to-Achieve-Sub-Second-Failover-Times-with-BGP-for-Active/ta-p/62006" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/Management-Articles/Unable-to-Achieve-Sub-Second-Failover-Times-with-BGP-for-Active/ta-p/62006</A></P> <P>Moving to HA A/A is a big step and will require more planning regarding session setup, session owner, distribution method...</P> <P>&nbsp;</P> <P>Regards,</P> <P>Gerardo.</P> Mon, 20 Mar 2023 20:00:24 GMT https://live.paloaltonetworks.com/t5/general-topics/bgp-active-passive-vs-active-active-argument/m-p/69673#M40356 glastra1 2023-03-20T20:00:24Z