- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
01-18-2021 06:39 AM
Have a Active/Active spit data center solution and question has been brought up if it is possible to use different AS numbers on each of the Palo's. My thinking is why have Active/Active, just use each Palo as a separate individual firewall at each DC. I'v never seen Active/Active Palo's having separate BGP AS numbers. It looks like it is possible since the VR config isn't synced but seems it would create an issue. Anyone else ever seen this or have an opinion?
01-18-2021 06:44 AM
it's possible since you can split routing completely but it would take out all reason to have a cluster in the first place, unless you'd have some site specific AS with an upstream shared AS somehow (so you do end up sharing the same IP subnet over different AS)
adding clustering will only increase overhead at no gain
01-18-2021 06:44 AM
it's possible since you can split routing completely but it would take out all reason to have a cluster in the first place, unless you'd have some site specific AS with an upstream shared AS somehow (so you do end up sharing the same IP subnet over different AS)
adding clustering will only increase overhead at no gain
01-18-2021 06:50 AM
Thanks, that was my thinking also, why even have the AA cluster at that point.
01-18-2021 03:33 PM
i've been thinking it over a bit, the thinking is probably that each site would act as DR for the other site and a floating IP could move to the other site if one site fails ? to provide internet connectivity?
if there's an option to integrate OSPF that would be the better option, but if the network is super flat with no routing an AA A/P-P/A could work (although it will bring heartache and acid reflux 😜 )
01-19-2021 05:10 AM
The customer is already running BGP internally even though their current ASA is all static routes. I had thought about OSPF but we ended up deciding on BGP internally since that is what they are currently running and upstream to ISRs. The A/A setup is a single firewall at each DC which was originally supposed to be A/P. It's already given me enough heartache so I don't want to introduce any more. 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!