topic Re: HA traffic through Cisco Switch in General Topics

HA traffic through Cisco Switch

AvinashKukkapalli — Wed, 29 Jan 2020 14:26:09 GMT

Hi Team ,
Can we route HA traffic between two 3260 firewalls through cisco switch using L2 vlan.

My requirement is to run firewalls in HA and devices will be in different buildings. Buildings are connected with dark fiber. As PAN dedicated HA ports are ethernet i have to use another converter or switch to make them communicate in HA ports.

i did l2 vlan on 9500 switch but HA1 never comes up.

Can we do like this?

Re: HA traffic through Cisco Switch

Brandon_Wertz — Wed, 29 Jan 2020 15:19:14 GMT

@AvinashKukkapalli wrote:
Hi Team ,
Can we route HA traffic between two 3260 firewalls through cisco switch using L2 vlan.
My requirement is to run firewalls in HA and devices will be in different buildings. Buildings are connected with dark fiber. As PAN dedicated HA ports are ethernet i have to use another converter or switch to make them communicate in HA ports.
i did l2 vlan on 9500 switch but HA1 never comes up.
Can we do like this?

Technically no, but you can switch the traffic...Ok, I'm done splitting hairs.

You 10000% can do this. As long as both switches participate in the same layer 2 domain it should work without issue. (This would also mean that the link the switches are connected has the access VLAN on the trunk the HA-1 ports are on)

Say you have FW-1 connected to SW-1 with the FW-1 HA-1 with the IP of 10.10.10.1 on an Access VLAN 10 to SW-1

You'd need FW-2 connected to SW-2 with the FW-2 HA-1 configured with the IP of 10.10.10.2 on Access VLAN 10 to SW-2.

You would do the same for HA-2

Re: HA traffic through Cisco Switch

ShaiW — Wed, 29 Jan 2020 14:57:04 GMT

HA1 syncs configuration and heartbeats, it uses dedicated-ha1a/ha1b ports (by default)

HA2 syncs the session table, it uses a dedicated HSCI port (10gb fiber)

You want both up for proper High Availability.

You can assign a Dataplane port to be of type 'HA' and then you can use it instead of the dedicated HA ports (it will be available in the drop down list under HA1/HA1 backup/HA2/HA2 backup).

This can give you the option to use ethernet1/19 as type HA, used by HA1, connected over a fiber link with appropriate GBIC on both sides thus avoiding a converter.

Configuration wise:

Firewall-1

Control Link (HA1) IPv4: 1.1.1.1 / 255.255.255.248

Peer HA1 IP Address (in the Setup page): 1.1.1.2

Firewall-2

Control Link (HA1) IPv4: 1.1.1.2 / 255.255.255.248

Peer HA1 IP Address (in the Setup page): 1.1.1.1

It's a bit tricky to explain all the possible scenarios, I hope it was clear. Just remember that each FW needs to know the IP address of it's peer for HA1 to come up. Lastly, use HA1 backup as management port and put 'Backup Peer HA1 IP Address=MGMT-IP of other FW.

Re: HA traffic through Cisco Switch

AvinashKukkapalli — Wed, 29 Jan 2020 15:55:51 GMT

I changed data port type to HA but i never get that port in dropdown for HA1 , Only for HA2 i am able to select that data port..

So i used L2 vlan but that is not helping

Re: HA traffic through Cisco Switch

AvinashKukkapalli — Wed, 29 Jan 2020 16:03:13 GMT

Attached screen shots for reference

Re: HA traffic through Cisco Switch

Brandon_Wertz — Wed, 29 Jan 2020 16:11:24 GMT

@AvinashKukkapalli wrote:
Attached screen shots for reference

I refer you to my posts in this thread. https://live.paloaltonetworks.com/t5/General-Topics/PA-3260-and-using-non-dedicated-as-HA1-interface/td-p/308152

Are you trying to use a different pot for HA-1 because you need fiber? HA-1 has to be used on the dedicated port.

Re: HA traffic through Cisco Switch

AvinashKukkapalli — Wed, 29 Jan 2020 16:30:23 GMT

I am good , i see one typo error for peer ip.

thanks for all help