https://live.paloaltonetworks.com/t5/general-topics/active-passive-pas-connected-to-vpc-nexus-7ks/m-p/206153#M60515 <P>This was also posted on the Cisco forum because I'm not sure yet what is the problem's root cause. So I'd appreciate insigt from the Palo experts as well. Below is the problem:</P><P>&nbsp;</P><P><FONT color="#333333"><FONT face="quot">Each 7K can ping the active-pal. Active-Pal is connected to 7K A, so&nbsp; Active-Pal’s mac&nbsp;appears on 7K A’s interface. 7K B, again, can also ping Active-Pal. Of course, Active-Pal’s mac doesn’t appear on&nbsp;7K B's interface connected to Pass-Pal, but Active-Pal’s mac does appear in 7K B’s mac address table. My assumption is that 7K B is reaching Active-Pal via the VPC pair link. Here’s the trouble, while&nbsp;7K B can ping Active-Pal from its .70 address, hosts in the environment that uses Nex2 as it’s first hop cannot. Hosts using 7K A reach Active-Pal without problem. If the 7K B pass-pal interface is disabled, active-pal becomes reach-able from hosts in the environment.</FONT></FONT></P><P>&nbsp;</P><P><FONT color="#333333"><FONT face="quot">There is now a move planned,&nbsp;that would relocate the Pal's. Should the existing, inside layer 3 connections be maintained, or should said links be converted to layer 2? I understand that the answer to this question might be revealed in the outcome of the above analysis.</FONT></FONT></P><P>&nbsp;</P><P>&nbsp;</P><P><FONT color="#333333">**********************<BR /></FONT></P><P>&nbsp;</P><P><FONT color="#333333">Not shown in the diagram is a single edge router, so there's no chance of assymetric routing there. My understanding is that the best Palo design here would be Active/Passive. True or false?<BR /></FONT></P><P>&nbsp;</P><P><FONT color="#333333">Also is the point to point layer 3 interface design the best approach? Should the nexus links be layer 2 interfaces?</FONT></P><P>&nbsp;</P><P><FONT color="#333333">Thanks for the help.</FONT></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Traffic_Flow.JPG" style="width: 432px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14302i76C99D4384ECC748/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Traffic_Flow.JPG" alt="Traffic_Flow.JPG" /></span></P> Sun, 18 Mar 2018 01:45:34 GMT DamianCleveland 2018-03-18T01:45:34Z https://live.paloaltonetworks.com/t5/general-topics/active-passive-pas-connected-to-vpc-nexus-7ks/m-p/206153#M60515 <P>This was also posted on the Cisco forum because I'm not sure yet what is the problem's root cause. So I'd appreciate insigt from the Palo experts as well. Below is the problem:</P><P>&nbsp;</P><P><FONT color="#333333"><FONT face="quot">Each 7K can ping the active-pal. Active-Pal is connected to 7K A, so&nbsp; Active-Pal’s mac&nbsp;appears on 7K A’s interface. 7K B, again, can also ping Active-Pal. Of course, Active-Pal’s mac doesn’t appear on&nbsp;7K B's interface connected to Pass-Pal, but Active-Pal’s mac does appear in 7K B’s mac address table. My assumption is that 7K B is reaching Active-Pal via the VPC pair link. Here’s the trouble, while&nbsp;7K B can ping Active-Pal from its .70 address, hosts in the environment that uses Nex2 as it’s first hop cannot. Hosts using 7K A reach Active-Pal without problem. If the 7K B pass-pal interface is disabled, active-pal becomes reach-able from hosts in the environment.</FONT></FONT></P><P>&nbsp;</P><P><FONT color="#333333"><FONT face="quot">There is now a move planned,&nbsp;that would relocate the Pal's. Should the existing, inside layer 3 connections be maintained, or should said links be converted to layer 2? I understand that the answer to this question might be revealed in the outcome of the above analysis.</FONT></FONT></P><P>&nbsp;</P><P>&nbsp;</P><P><FONT color="#333333">**********************<BR /></FONT></P><P>&nbsp;</P><P><FONT color="#333333">Not shown in the diagram is a single edge router, so there's no chance of assymetric routing there. My understanding is that the best Palo design here would be Active/Passive. True or false?<BR /></FONT></P><P>&nbsp;</P><P><FONT color="#333333">Also is the point to point layer 3 interface design the best approach? Should the nexus links be layer 2 interfaces?</FONT></P><P>&nbsp;</P><P><FONT color="#333333">Thanks for the help.</FONT></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Traffic_Flow.JPG" style="width: 432px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14302i76C99D4384ECC748/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Traffic_Flow.JPG" alt="Traffic_Flow.JPG" /></span></P> Sun, 18 Mar 2018 01:45:34 GMT https://live.paloaltonetworks.com/t5/general-topics/active-passive-pas-connected-to-vpc-nexus-7ks/m-p/206153#M60515 DamianCleveland 2018-03-18T01:45:34Z https://live.paloaltonetworks.com/t5/general-topics/active-passive-pas-connected-to-vpc-nexus-7ks/m-p/206182#M60518 <P>Yes, PAN recommends keeping clusters Active/Passive unless there are certain circumstances that require an Active/Active design.</P><P>&nbsp;</P><P>The point to point routed link may or may not be best depending on the nature of your routing and zone configuration but is frequently a good practice.</P><P>&nbsp;</P><P>Your basic issue here is that VPC or AE/LAG connections on the Cisco side are connecting to what is essential a Redundant Ethernet connection on the PAN side.&nbsp; So on the Cisco side you would be using the "backup" interface feature which is generally the IOS implementation of Redundant ethernet.</P><P>&nbsp;</P> Sun, 18 Mar 2018 16:05:01 GMT https://live.paloaltonetworks.com/t5/general-topics/active-passive-pas-connected-to-vpc-nexus-7ks/m-p/206182#M60518 pulukas 2018-03-18T16:05:01Z