Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Active Active BGP AS Number

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Active Active BGP AS Number

L2 Linker

Have a Active/Active spit data center solution and question has been brought up if it is possible to use different AS numbers on each of the Palo's. My thinking is why have Active/Active, just use each Palo as a separate individual firewall at each DC. I'v never seen Active/Active Palo's having separate BGP AS numbers. It looks like it is possible since the VR config isn't synced but seems it would create an issue. Anyone else ever seen this or have an opinion? 

PCNSC, PCNSE
1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

it's possible since you can split routing completely but it would take out all reason to have a cluster in the first place, unless you'd have some site specific AS with an upstream shared AS somehow (so you do end up sharing the same IP subnet over different AS)

 

adding clustering will only increase overhead at no gain

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

it's possible since you can split routing completely but it would take out all reason to have a cluster in the first place, unless you'd have some site specific AS with an upstream shared AS somehow (so you do end up sharing the same IP subnet over different AS)

 

adding clustering will only increase overhead at no gain

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks, that was my thinking also, why even have the AA cluster at that point.

PCNSC, PCNSE

i've been thinking it over a bit, the thinking is probably that each site would act as DR for the other site and a floating IP could move to the other site if one site fails ? to provide internet connectivity?

 

 

if there's an option  to integrate OSPF that would be the better option, but if the network is super flat with no routing an AA A/P-P/A could work (although it will bring heartache and acid reflux 😜 )

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

The customer is already running BGP internally even though their current ASA is all static routes. I had thought about OSPF but we ended up deciding on BGP internally since that is what they are currently running and upstream to ISRs. The A/A setup is a single firewall at each DC which was originally supposed to be A/P. It's already given me enough heartache so I don't want to introduce any more. 🙂

PCNSC, PCNSE
  • 1 accepted solution
  • 3657 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!