- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
03-29-2011 02:59 AM
PAN 4.x is supporting Active-Active High availability.
Clearly, most firewalls also support Active-Active HA but, they need Layer-4 switch to get full performance.
In other words, most of firewalls also support Active-Active, but it is in name only in the real network world without Layer-4 switch.
How about Paloalto on Active-Active? PAN also need Layer-4 switch?
What is the best way to deploy Active-Active HA?
Could you tell me that how it works, if don't need layer-4 switch?
I’m looking for smart answers.
Thanks,
Eugene.
03-29-2011 05:36 AM
Hi Eugene
This document may prove helpfull: https://live.paloaltonetworks.com/docs/DOC-1756
Page 7 describes our behavior in vwire, pages 8 and 9 our layer 3 behavior.
Basically, for vwire you will need layer 3 devices as we act as a wire. In L3 we support 2 modes of operation: Floating IP and ARP load sharing.
Floating IP assigns a/multiple VIP per gateway and these can be used by hosts in the network as gateway
In case of failover the VMAC to this VIP is transported to the other peer via gratuitous ARP
In ARP load sharing a VIP is shared among the HA peers, but each with their individual VMAC.
The device that responds to the ARP request is determined by computing a hash or modulo of the source IP address of the ARP request.
In case of failover the VMAC is transported to the remaining peer via gratuitous ARP.
regards
03-29-2011 09:12 AM
small correction:
In floating IP each device has a unique VMAC and in case of failover the VIP is moved to the active peer's VMAC using gratuitous ARPs sent out from the active member, the VMAC itself does not move
03-30-2011 05:23 AM
Thanks for your answer.
i'm sorry because short of english.
So It seem to be that my question has not delivered correctly.
What i want is not general concept of PAN's Active Active HA.
directly speaking....
What is difference between juniper Active-Active HA and Palo Alto Active-Active HA without L4 switch?
The very important thing for Active-Active HA is that there is no Layer 4 switch.
without Layer 4 switch!!
Juniper is divided internally when deploy Active-Active HA like attached diagram.
Each firewall needs many routing path to make an active-active HA and, If network complex, it needs lots of routing.
One of another issue is performance.
PAN is very similar with Juniper. So I’d like to know whether PAN has same issue with juniper on Active-Active.
i think you may know much of problem of Juniper on Active Active HA.
Please let me know what kind of issue PAN has from Active-Active HA.
Also let me know what are the very important things to deploy active-active HA.
Thanks,
Eugene.
04-04-2011 10:48 AM
Hi Eugene,
I believe your question was answered above with ARP Load Sharing. This does not require an L4 switch as it shares the load between the active units automatically. This really only works well with directly connected hosts initiating traffic outbound.
The intention for Active/Active HA is not to share the load for higher performance but to address asymmetric routing scenarios. The directly connected HA3 links in the cluster will make sure traffic is correctly forwarded in cases where the traffic was delivered to the wrong firewall.
You may need to have a further discussion with your local SE to get more information on how to design and configure an Active/Active cluster if you find that design is really necessary. Try to stick with an Active/Passive design, if possible, as it is much more simple to design, config, and troubleshoot.
Cheers,
Kelly
04-06-2011 10:25 PM
Hi kelly.
Thank for your answer.
i've got answer from you against most of my quesitons.
Thanks.
Eugene.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!