https://live.paloaltonetworks.com/t5/general-topics/moving-a-layer-two-switch-between-fw-pair-and-edge-router-from/m-p/218146#M63064 <P>We are attempting to move a pair of VCP'd layer 2 switches between our ISP's CIENA and our PA 5220 pair.&nbsp; Our ISP is only giving us a single handoff so we were attempting to plug the handoff into the layer 2 switches (nexus 9ks with VCP) on a access port with vlan 602.&nbsp; The switches also have trunk ports connecting to the Palo Alto's with LACP.<BR /><BR />We were able to see arp entries for the Palo Alto and the Ciena from the Nexus and could ping the Ciena BGP peer address from the palo alto.&nbsp; Unfortunately the BGP session would only say connected and never established. &nbsp;<BR /><BR />The ISP was unhelpful and said that in their experience that type of setup doesn't work and that in the rare cases it does you have to do configuration on your side.&nbsp; (Suprise suprise!).&nbsp;<BR /><BR />Any thoughts?&nbsp; We tried raising hop count dramatically, resetting ISP router in case it was an arp caching issue on their side, etc.</P> Sun, 17 Jun 2018 08:22:15 GMT davic09 2018-06-17T08:22:15Z https://live.paloaltonetworks.com/t5/general-topics/moving-a-layer-two-switch-between-fw-pair-and-edge-router-from/m-p/218146#M63064 <P>We are attempting to move a pair of VCP'd layer 2 switches between our ISP's CIENA and our PA 5220 pair.&nbsp; Our ISP is only giving us a single handoff so we were attempting to plug the handoff into the layer 2 switches (nexus 9ks with VCP) on a access port with vlan 602.&nbsp; The switches also have trunk ports connecting to the Palo Alto's with LACP.<BR /><BR />We were able to see arp entries for the Palo Alto and the Ciena from the Nexus and could ping the Ciena BGP peer address from the palo alto.&nbsp; Unfortunately the BGP session would only say connected and never established. &nbsp;<BR /><BR />The ISP was unhelpful and said that in their experience that type of setup doesn't work and that in the rare cases it does you have to do configuration on your side.&nbsp; (Suprise suprise!).&nbsp;<BR /><BR />Any thoughts?&nbsp; We tried raising hop count dramatically, resetting ISP router in case it was an arp caching issue on their side, etc.</P> Sun, 17 Jun 2018 08:22:15 GMT https://live.paloaltonetworks.com/t5/general-topics/moving-a-layer-two-switch-between-fw-pair-and-edge-router-from/m-p/218146#M63064 davic09 2018-06-17T08:22:15Z https://live.paloaltonetworks.com/t5/general-topics/moving-a-layer-two-switch-between-fw-pair-and-edge-router-from/m-p/218155#M63067 <P>I assume the ISP is not able to give you dual handoff in the same layer 2 domain.&nbsp; This is our first approach to this type of request as an ISP.</P><P>&nbsp;</P><P>I also assume that the PA cluster is active/passive with a single peering.</P><P>&nbsp;</P><P>Does the peering work when directly connected to one PAN or was that not attempted?</P><P>This would be good information to have even if it cannot stay that way.</P><P>&nbsp;</P><P>It is not clear if this is a peer direct or multihop without the move.&nbsp; I would assume this is a direct link peer.&nbsp; If so, setting multihop won't make any difference and that parameter does need to match on both peers if it is multihop.</P><P>&nbsp;</P><P>Running a pcap during the failure should give more detailed information on the issue the instructions are here.</P><P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Open-a-Support-Case-on-Routing-Issues-OSPF-and-BGP/ta-p/132153" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Open-a-Support-Case-on-Routing-Issues-OSPF-and-BGP/ta-p/132153</A></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 17 Jun 2018 12:21:29 GMT https://live.paloaltonetworks.com/t5/general-topics/moving-a-layer-two-switch-between-fw-pair-and-edge-router-from/m-p/218155#M63067 pulukas 2018-06-17T12:21:29Z