https://live.paloaltonetworks.com/t5/general-topics/interface-failover-on-pa500/m-p/7455#M5536 <HTML><HEAD></HEAD><BODY><P>Since link aggregation (LACP or etherchannel) is only supported on PA4000++ I want to build a simple interface-failover / interface-group setup (like any other enterprise firewall allows even on low-end devices).</P><P>group</P><P>To do this I would do the following:</P><P>1. change interface mode to Layer2 on both interfaces making up the interface-group</P><P>2. create a layer2 subinterface each (with same id and vlan tag)</P><P>3. associate both to the same vlan</P><P>4. enable L3 forwarding on the vlan</P><P>5. create an vlan interface and assign it the IP the firewall (on its interface-group) should have</P><P>6. connect each port to a different switch</P><P>7. enable STP (on switch)</P><P>8. cross fingers</P><P></P><P>(with 2. only required when this is a trunk with multiple vlans)</P><P></P><P>It seems to work but is something like this supported?</P></BODY></HTML> Fri, 13 Jul 2012 20:16:19 GMT ctr_ts 2012-07-13T20:16:19Z https://live.paloaltonetworks.com/t5/general-topics/interface-failover-on-pa500/m-p/7455#M5536 <HTML><HEAD></HEAD><BODY><P>Since link aggregation (LACP or etherchannel) is only supported on PA4000++ I want to build a simple interface-failover / interface-group setup (like any other enterprise firewall allows even on low-end devices).</P><P>group</P><P>To do this I would do the following:</P><P>1. change interface mode to Layer2 on both interfaces making up the interface-group</P><P>2. create a layer2 subinterface each (with same id and vlan tag)</P><P>3. associate both to the same vlan</P><P>4. enable L3 forwarding on the vlan</P><P>5. create an vlan interface and assign it the IP the firewall (on its interface-group) should have</P><P>6. connect each port to a different switch</P><P>7. enable STP (on switch)</P><P>8. cross fingers</P><P></P><P>(with 2. only required when this is a trunk with multiple vlans)</P><P></P><P>It seems to work but is something like this supported?</P></BODY></HTML> Fri, 13 Jul 2012 20:16:19 GMT https://live.paloaltonetworks.com/t5/general-topics/interface-failover-on-pa500/m-p/7455#M5536 ctr_ts 2012-07-13T20:16:19Z https://live.paloaltonetworks.com/t5/general-topics/interface-failover-on-pa500/m-p/7456#M5537 <HTML><HEAD></HEAD><BODY><P>Had a quick chance to try this out in the lab.&nbsp; Here's what I did:</P><P></P><P>1.) Created new VLAN</P><P>2.) Created new VLAN interface (with L3-forwarding enabled)</P><P>3.) Placed new VLAN interface into appropriate security zone (L3-Trust in my configuration)</P><P>4.) Assigned new VLAN interface an IP Address (192.168.1.1/24 in my config)</P><P>5.) Configured 2 firewall ports as "Layer 2" and placed them into the newly created VLAN from step #1</P><P></P><P>Commit</P><P></P><P>On the switch side, I created a vlan in a Brocade switch with 3 access ports.&nbsp; I also enabled spanning-tree in this VLAN.&nbsp; Of the 3 ports, 2 go to the firewall and one to a test laptop.&nbsp; </P><P></P><P>In this configuration, everything works fine!&nbsp; It takes 30-45 seconds to fail over, and about 15s to fail back - which is expected for standard spanning-tree behavior. </P><P></P><P>I don't see why this wouldn't work using sub-interfaces and vlan tags as well.&nbsp; Same concept.&nbsp; Don't see why it wouldn't be supported either.&nbsp; As long as you have some sort of loop prevention technology running, it's a perfectly valid network design.&nbsp; It's not optimal, and you could probably get better failover and worry less about spanning-tree if you had a pair of firewalls using Active/Passive High Availability.&nbsp; </P></BODY></HTML> Mon, 23 Jul 2012 22:40:32 GMT https://live.paloaltonetworks.com/t5/general-topics/interface-failover-on-pa500/m-p/7456#M5537 jvalentine 2012-07-23T22:40:32Z