HA Data Link Ethernet vs IP

Reply
Highlighted
L3 Networker

HA Data Link Ethernet vs IP

Hi,

 

When I configure HA for data link I use Ethernet when devices are directly connected to each other, but sometimes in the field I see people using IP for transport but the devices are directly connected to each other. Why are they doing this? There is no reason to do it unless it needs to route. Can someone help me understand there logic?

 

Thanks

Tags (3)
L4 Transporter

Re: HA Data Link Ethernet vs IP

@junior_r  I have also seen it a lot and I think the only reason people are doing it is because of not knowing that IP is not required when the firewalls are directly connected. 

L2 Linker

Re: HA Data Link Ethernet vs IP

I manage an HA active/standby pair of PA-5220, and we had to switch from ethernet to IP based HA because of AUX ports limitations and bug PAN-105737 (*). We surely could have solved it with a minimal configuration, but we opted to fully configure all HA interfaces (i.e. ip, netmask and gateway). We must use AUX ports because we are about to split the couple in two different datacenters.

(*) If you use the AUX 1 or AUX 2 interface and you do not configure an IP address, network mask, and default gateway for the interface, the interface will not come up when you upgrade the firewall to PAN-OS 8.1.7. The most common use of AUX interfaces is to configure AUX ports as HA1 and HA1 Backup interfaces for fiber connections on PA-5200 Series firewalls in an HA configuration.

Workaround: To avoid a split-brain scenario in HA configurations as a result of this issue, configure a default gateway on at least one of the AUX interfaces.
L6 Presenter

Re: HA Data Link Ethernet vs IP


@junior_r wrote:

Hi,

 

When I configure HA for data link I use Ethernet when devices are directly connected to each other, but sometimes in the field I see people using IP for transport but the devices are directly connected to each other. Why are they doing this? There is no reason to do it unless it needs to route. Can someone help me understand there logic?

 

Thanks


 

I've got a A/P 5220 pair split between DCs that are over 500 miles apart.  Latency between both DCs is < 20ms and we have no issues.  In our case using IP allows for DC redundancy via 2 geographically separated DCs.  The networks for both HA1/2 are just L2 networks with no router so the FWs talk directly 2 each other.

L4 Transporter

Re: HA Data Link Ethernet vs IP

Are you using HSCI ports for HA2 Data links?

Which SFP are you using for HA2 Data links?

L2 Linker

Re: HA Data Link Ethernet vs IP

HSCI: no, we are using AUX ports and a couple of regular SFP+ ports (eth1/5 and eth1/6)
Which SFP: since we need "colored" DWDM links, we are using Solid Optics Cisco-compatible 10Gbit ZR ones.

L6 Presenter

Re: HA Data Link Ethernet vs IP


@MP18 wrote:

Are you using HSCI ports for HA2 Data links?

Which SFP are you using for HA2 Data links?


Just using the embedded copper port on the 5220.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!