Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Active Active HA3 Through EVPN/VXLAN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Active Active HA3 Through EVPN/VXLAN

L2 Linker

Have an Active/Active deployment, single firewall at each DC with EVPN/VXLAN through Juniper cores. Can we have the HA-3 link go through the core switches? We are using daa plane interfaces for HA-2, HA-2B, and HA-3. We have the vlans  stretched across to the other data center for the HA-2 and HA-3 links and jumbo frames enabled. I need to verify if the HA-3 link can operate properly through EVPN/VXLAN or do we need a direct connection. I ask because normally for HA-2 I would just use ethernet as the trasnport but had to use IP even though the vlans are stretched.

 

Also, for session setup I normally use IP Modulo but PAN config guide states First Packet is recommended.

 

Thanks!

PCNSC, PCNSE
1 accepted solution

Accepted Solutions

L4 Transporter

It is supported across switches as long as the switch has jumbo frames configured, which you say you have, although I would suggest that it is not really the best scenario, first packet would minimise traffic across the HA3 link which is always preferable, and in fact is the best staring point before doing any performance tuning.

 

Remember Force VR sync and Qos sync as appropriate.

 

 

PCCSA PCNSA PCNSE PCSAE
Mode44 LTD Palo Alto Consultants

View solution in original post

4 REPLIES 4

L4 Transporter

It is supported across switches as long as the switch has jumbo frames configured, which you say you have, although I would suggest that it is not really the best scenario, first packet would minimise traffic across the HA3 link which is always preferable, and in fact is the best staring point before doing any performance tuning.

 

Remember Force VR sync and Qos sync as appropriate.

 

 

PCCSA PCNSA PCNSE PCSAE
Mode44 LTD Palo Alto Consultants

Is there a way to determine if HA-3 is actually layer 2 prior to cutover?  I assume I can look at the arp tablein the Palo and the switches.

PCNSC, PCNSE

It will be a dedicated Layer2 interface so shouldn't be anything else, you would be able to check for the MAC on the switch for the interfaces though

PCCSA PCNSA PCNSE PCSAE
Mode44 LTD Palo Alto Consultants

Thanks! Don't know why I said arp table for layer 2..What would explain the need for HA-2 to require an IP transport with an IP address. I did one with OTV and did not require IP transport. I am not a VXLAN expert but would assume if it is true layer 2 I could use transport ethernet.

PCNSC, PCNSE
  • 1 accepted solution
  • 4683 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!