We are exploring the firewall deployment options for one of our customers who have a requirement to stretch few VLANs across 2 data centers most probably using VXLAN/EVPN. The options currently being explored are:
1. Active-Standby firewalls in each data center
2. Active-Active firewall with one node in each data center
Are there any design/deployment references for these scenarios especially how to avoid double firewalling and the possible scenarios for asymmetric routing and how to avoid them.
you can avoid asymmetric routing by not deploying in Active/Active
do both datacenters need to be 'hot' or is there one warm standby? do both need active connections to the outside and will the bandwidth needed exceed the VXLAN/EVPN capability?
I'd try to void A/A as that complicates your configuration tremendously with very little ROI (you'll also need to enable HA3 and make sure jumbo frames are supported over the VXLAN/EVPN etc)
Thanks for your response.
Both datacenters need to be "Hot" and will have active connections outside. The bandwidth will not exceed VXLAN/EVPN. I am trying to understand if there are any deployment guides/design options for deploying A/A across data centers in Palo Alto.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!