10-17-2011 06:36 PM
Two locations
Two pairs of 5050s
Have a configuration wtih two sets of aggregate ports
One set of VLANs that are local/native to the location the PAN assigned to the first set of aggregate ports - these are intended to be up at all times.
The other set of VLANs are assigned to the other data center but are stretched across the WAN backhaul to the other location - these interfaces will only be up when the other data center is down (either during a failure scenario or during a DR test)
Unfortunately when the physical interfaces are down (either through the Palo Alto configuration or through the Port Channel being turned down on the switch), the aggregate sub interfaces remain active and the routes to those subnets remain active on the local firewall.
If a single interface is configured with a subnet and virtual router and is down, then the routes do not appear in the routing table. In this configuration the routes remain in place even though the physical interfaces associated with the aggregate interface are down.
Is this functioning by design or is this an issue that we should open a case for?
If it is by design, is there a way to effectively down the aggreate interface (and sub interfaces) so that the routing goes into a disabled state?
Thanks
James
11-08-2011 09:32 PM
We were able to replicate this in our Support lab. There has been a bug opened with our Engineering group.
10-27-2011 08:41 AM
If the virtual router assigned to any interface is down, then you will not see routes added to the table. Also, as the sub-interfaces are logically separated from the physical interface, the two can exist in an up or down state independent of one another. If the physical port to which the sub-interfaces are associated is brought down, then the sub-interfaces will effectively be brought down as well.
11-02-2011 12:42 PM
The problem we are running into is that all of the physical interfaces for an aggregate are down but the firewall does not see the aggregate subinterfaces as down and continues to have the routes for the IP ranges on those subinterface s in its routing table. If these were physical subinterfaces the IP ranges would no longer route and the traffic would follow the available routes (in this case to the remote data center)
Is there a way to automatically have the aggregate interfaces go down when all of their physical interfaces go down?
We are attempting to avoid having to have someone log in and bring these interfaces up manually by only having to bring up the aggregate/port channels on the switches.
Thanks
James
11-08-2011 09:32 PM
We were able to replicate this in our Support lab. There has been a bug opened with our Engineering group.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
