topic Re: HA Data Link Ethernet vs IP in General Topics

HA Data Link Ethernet vs IP

junior_r — Sat, 28 Sep 2019 17:19:06 GMT

Hi,

When I configure HA for data link I use Ethernet when devices are directly connected to each other, but sometimes in the field I see people using IP for transport but the devices are directly connected to each other. Why are they doing this? There is no reason to do it unless it needs to route. Can someone help me understand there logic?

Thanks

Re: HA Data Link Ethernet vs IP

BatD — Tue, 01 Oct 2019 06:44:06 GMT

@junior_r I have also seen it a lot and I think the only reason people are doing it is because of not knowing that IP is not required when the firewalls are directly connected.

Re: HA Data Link Ethernet vs IP

michelealbrigo — Tue, 01 Oct 2019 08:56:42 GMT

I manage an HA active/standby pair of PA-5220, and we had to switch from ethernet to IP based HA because of AUX ports limitations and bug PAN-105737 (*). We surely could have solved it with a minimal configuration, but we opted to fully configure all HA interfaces (i.e. ip, netmask and gateway). We must use AUX ports because we are about to split the couple in two different datacenters.

(*) If you use the AUX 1 or AUX 2 interface and you do not configure an IP address, network mask, and default gateway for the interface, the interface will not come up when you upgrade the firewall to PAN-OS 8.1.7. The most common use of AUX interfaces is to configure AUX ports as HA1 and HA1 Backup interfaces for fiber connections on PA-5200 Series firewalls in an HA configuration.

Workaround: To avoid a split-brain scenario in HA configurations as a result of this issue, configure a default gateway on at least one of the AUX interfaces.

Re: HA Data Link Ethernet vs IP

Brandon_Wertz — Tue, 01 Oct 2019 13:36:33 GMT

@junior_r wrote:
Hi,

When I configure HA for data link I use Ethernet when devices are directly connected to each other, but sometimes in the field I see people using IP for transport but the devices are directly connected to each other. Why are they doing this? There is no reason to do it unless it needs to route. Can someone help me understand there logic?

Thanks

I've got a A/P 5220 pair split between DCs that are over 500 miles apart. Latency between both DCs is < 20ms and we have no issues. In our case using IP allows for DC redundancy via 2 geographically separated DCs. The networks for both HA1/2 are just L2 networks with no router so the FWs talk directly 2 each other.

Re: HA Data Link Ethernet vs IP

MP18 — Wed, 02 Oct 2019 02:48:57 GMT

Are you using HSCI ports for HA2 Data links?

Which SFP are you using for HA2 Data links?

Re: HA Data Link Ethernet vs IP

michelealbrigo — Wed, 02 Oct 2019 06:56:56 GMT

HSCI: no, we are using AUX ports and a couple of regular SFP+ ports (eth1/5 and eth1/6)
Which SFP: since we need "colored" DWDM links, we are using Solid Optics Cisco-compatible 10Gbit ZR ones.

Re: HA Data Link Ethernet vs IP

Brandon_Wertz — Wed, 02 Oct 2019 19:02:22 GMT

@MP18 wrote:
Are you using HSCI ports for HA2 Data links?
Which SFP are you using for HA2 Data links?

Just using the embedded copper port on the 5220.