topic Re: Question about Active/Active HA with Layer 2 Interfaces in General Topics

Question about Active/Active HA with Layer 2 Interfaces

ballen317 — Mon, 03 Dec 2018 03:43:48 GMT

Hello,

I have read the Administrator's Guide and the Use Cases for Active/Active HA but just wanted to get some confirmation that I am understanding the requirements correctly. We have two identical Palo Alto firewalls that we want to setup HA with. We will be configuring a Layer 2 Aggregate Interface with subinterfaces and then connecting it to a Cisco switch. With this setup in mind, are we able to use Active/Active HA? I remember reading at one point that an Active/Active HA setup requires Layer 3 interfaces but I'm not 100% sure.

Thanks!

Re: Question about Active/Active HA with Layer 2 Interfaces

BPry — Tue, 04 Dec 2018 01:39:27 GMT

@ballen317,

If you're using Layer2 interfaces there should be no reason to utilize Active/Active HA. Why are you attempting to use Active/Active in this deployment?

Re: Question about Active/Active HA with Layer 2 Interfaces

ballen317 — Tue, 04 Dec 2018 03:55:17 GMT

@BPry,

We have another network we are supporting that is configured with 2 active Cisco ASA firewalls in a HA cluster setup using Layer 2 interfaces (https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/ha-cluster.pdf). I was trying to see if we can deploy a similar setup with the 2 Palo Alto firewalls we have in this network. The end goal is to achieve increased throughput and redundancy.

So is an Active/Active HA with Layer 2 interfaces allowed but not recommended? If so, what are the reasons that it is not a recommended deployment?

Thanks!

Re: Question about Active/Active HA with Layer 2 Interfaces

BPry — Tue, 04 Dec 2018 05:08:04 GMT

@ballen317,

Active/Active is only supported in TAP and Layer3 deployments. Active/Active configurations on PA gear isn't as simple and clear-cut as on your ASA, not by far. You would really need to design how you would actually implement this and I can guarantee your deployment would change quite a bit.

The reason we say not to use Active/Active is that it really doesn't provide a performance increase applicable to the increased costs and complexity. Asynchronous routing is your exception to the rule here, and the other use-cases where Active/Active would be called for are far and few between, and generally instances where you would be told to do so by your SE or IE (Sales Engineer or Integration Engineer).

Realistically where the ASA you saw a large performance gain for running Active/Active, you don't get that performance gains on a Layer7 aware NGFW. Max, you'll see a throughput increase of 20%. Any more than that and you've oversubscribed traffic if a failover did occur and you've lost all benefit of deploying Active/Active anyway.

Re: Question about Active/Active HA with Layer 2 Interfaces

ballen317 — Sat, 08 Dec 2018 00:12:20 GMT

@BPry,

Thank you for your detailed response. That helps out a lot. We are not looking to change our deployment to a Layer 3 setup and since a Layer 2 deployment is not supported, that eliminates the need for our team to even consider Active/Active.

Re: Question about Active/Active HA with Layer 2 Interfaces

NicolasCarabajal — Fri, 17 Jul 2020 21:54:27 GMT

This is incorrect. Active/active is only supported in v-wire and layer3.