08-09-2011 01:11 AM
Hello guys.
I tested for now about active-active pair on vwire mode that is simplest deployment I know. but I could not find that more information for active-active HA pair on vwire.
I wonder about that A-A vwire needs ACTIVE-ACTIVE configuration such as HA3 packet forwarding, Session owner selection, Session Setup. I guess that are not needed but I can not confirm.
Please give me some guideline for A-A on vwire that are need HA3 packet forwarding, Session owner, Session Setup configuration or not. if it yes, why does A-A need above configuration.
Thanks.
Regards.
Roh.
08-23-2011 09:53 PM
There should not be a need to forward traffic per se with A-A v-wire. This is because v-wire basically should always forward packets ingressing on one v-wire link to the other. The situation where a packet may need to traverse HA3 link would be if peer which receives the traffic is not the active owner of the session. In that case the packet would traverse HA3 to the other peer, get processed, then traverse HA3 back again to the receiving peer.
Hope that clears things up a bit.
-Richard
08-18-2011 03:41 PM
The HA3 link is used for packet forwarding between the session owner and the session setup device in an active-active cluster. HA3 link isa layer2 link and uses MAC-in-MAC encapsulation. Aggregate interfaces can be configured as a HA3 link on the PA-5000 and PA-4000 Series. This also provides redundancy of HA3 link. The interface that will be used as HA3 link must be set as type HA.
Hope this helps.
08-23-2011 10:47 AM
Hi ukhapre
Thank you for reply.
I think that HA3 packet forwarding should not configured on vwire A-A environment. right?
Thank you again.
Regards.
Roh.
08-23-2011 09:53 PM
There should not be a need to forward traffic per se with A-A v-wire. This is because v-wire basically should always forward packets ingressing on one v-wire link to the other. The situation where a packet may need to traverse HA3 link would be if peer which receives the traffic is not the active owner of the session. In that case the packet would traverse HA3 to the other peer, get processed, then traverse HA3 back again to the receiving peer.
Hope that clears things up a bit.
-Richard
08-25-2011 06:27 PM
Another point to be think about in any active-active setup:
If traffic enters a port on device A it can never egress from the Active-Active cluster from ANY port on device B.
HA3 is used to forward packets from the active-secondary device to the active-primary device so that they can be evaluated and scanned against the configured security policy.
-Benjamin
08-25-2011 06:31 PM
A final point to consider:
If you are considering deploying Active-Active you should be talking to your Sales Engineer to choose the proper design for implementing this feature in your environment. In some cases you may discover that an Active-Passive setup is more appropriate for your network.
-Benjamin
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
