topic HA PANs in General Topics

HA PANs

Sadik_Khirbash — Wed, 19 Apr 2017 21:28:47 GMT

Hello,

I am trying to design a new solution in our network infrastructure. Here's are the requirements:

- Single ISP -- Two active Internet circutis --- (Corrected from Two ISPs to a single ISP)
- Current topology: Two Internet circutis connected to two cisco edge routers in active/active mode, both circuts are used.
- Two core switches: Two core switches connected to the two edge routers in active/active mode.

- Two HA PANs behind the two core switches.
- Goal: Move the two HA PANs in front of the two edge routers.

Questions: Since the HA PANs are in Active/Passive mode this means that we can't connect the two Internet circuits directly to the HA PANs to acheive Active/Active links to the Internet? Is this correct? If so, does that mean we will need another pair of HA PANs to be able to connect the two Internet circuits to each HA pair?

Thanks in advnace.

Best, ~sK

Re: HA PANs

Brandon_Wertz — Wed, 19 Apr 2017 20:15:20 GMT

It's not an answer to your question, but why are you wanting to put the firewalls in-front of your edge routers?

Re: HA PANs

Brandon_Wertz — Wed, 19 Apr 2017 20:22:20 GMT

@Sadik_Khirbash wrote:
...
Questions: Since the HA PANs are in Active/Passive mode this means that we can't connect the two Internet circuits directly to the HA PANs to acheive Active/Active links to the Internet? Is this correct? If so, does that mean we will need another pair of HA PANs to be able to connect the two Internet circuits to each HA pair?

Thanks in advnace.
Best, ~sK

In an A/P deployment the operational interfaces on the P FW are disabled so you wouldn't be able to land one of your ISP connections on your secondary.

I've never done A/A, but based upon what I know, if you deploy a single A/A pair you could deploy a single FW pair connecting an ISPs into a FW. (If one FW failed at least you'd still maintain connectivity)

Re: HA PANs

Sadik_Khirbash — Wed, 19 Apr 2017 20:22:35 GMT

Sorry... Just made the correction. The PANs aren't sitting in fron of the edge router. They are sitting behind the core routers.

~sK

Re: HA PANs

Brandon_Wertz — Wed, 19 Apr 2017 20:34:34 GMT

I guess I'm not following. What is the end location you're wanting your FWs to exist at?

This is very a level view of a potential network (Leaving out a DMZ and a fair amount of potential switches)...Youre saying that currently your firewalls sit between that last link (between your core routers and your internal LAN?)

Re: HA PANs

Sadik_Khirbash — Wed, 19 Apr 2017 21:12:47 GMT

Thanks.

I'm considering the following deployment where there's only one A/A pair. I hope this design will work.

ISP_01

^ ^

| |

v v

Edge_Rtr_01 <-----------> Edge_Rtr_02

^ ^ ^ ^

| \ / |

A/PAN <-----------> A/PAN

^ ^ ^ ^

| \ / |

Core_01 <-----------> Core_01

Re: HA PANs

bradk14 — Wed, 19 Apr 2017 21:20:44 GMT

if I am understanding the question, we can actually simplify it to a single ISP. I mean basically you want each firewall to be able to leverage having two available ISPs, correct? in that case, your approach would be the same as asking how you would configure a single ISP to work with a firewall pair in HA.

and I believe the response would be to have an intermediate switch (or two depending on your desire for switch HA), so that the ISP is plugged into one port and each PA is plugged into another port (for a total of 3), and then just scale that up for 2 ISPs (likely private VLANs on the switch for each set of 3 ports).

if that makes sense. i've had a day, so my brain is fried anyway. that's my excuse.

ETA: You will be warned and very well educated to try to avoid putting PA in active/active unless absolutely mandatory, such as in the case of resolving asymetric routing issues.

Re: HA PANs

Brandon_Wertz — Thu, 20 Apr 2017 02:34:11 GMT

@bradk14 Not trying to answer for @Sadik_Khirbash but keeping two ISPs allows for vendor diversity...

In my deployment we've actually got 3 independent ISPs on wholly diverse paths. That come into my company. Maybe it's over-kill but hey...at least we can say we've got redundancy. lol

Re: HA PANs

bradk14 — Thu, 20 Apr 2017 13:45:14 GMT

@Brandon_Wertzapologies if my point wasn't clear. I'm not disparaging or questioning the use of multiple providers, I was just trying to streamline the question. Whether you have 1, 2, 3 or 5 or more ISPs, the process should be the same. You shouldn't have to rely on each PA in an HA pair to be responsible for a single ISP connection, especially when you are setting out to have an Active/Active configuration just to accomplish it. The process should be the same for as many external connections as you may have and that's to use that switch before the firewall to be able to 'split' the connections and leave the passive firewall's ports disabled.

Re: HA PANs

Brandon_Wertz — Thu, 20 Apr 2017 16:20:52 GMT

Agreed...How you described it before (I think it was you) is how we're doing it.

Those 3 edge routers have connection points into switch(s) and our single HA-pair sits between those ISPs. Negating the need for 3 stand-alone HA pairs.

Re: HA PANs

cengasser — Fri, 21 Apr 2017 13:15:10 GMT

I deal with this by having an additional pair of switches between the Palos and Routers. I use HSRP on the switches for failover. if a circuit fails, the active PA can still find the route to whichever router is active. The Routers and the PAs all sit on the same vlan.

The routers themselves are using BGP with our registered AS number and multiple prepends to create a prefered route out our primary ISP. To handle a failure deeper in the ISP, but not at our local link, I use SLAs on the routers to shut down the BGP neighbour, which will force a cutover to my backup.

On the routers inside interfaces, I create a subinterface using HSRP so each router uses the same gateway IP, so no matter which router is active, the same gateway IP is responding.

This allows you to use Active/Passive in your config.