Active-Active Route Based NAT

L3 Networker

Active-Active Route Based NAT

Hey Guys,


I have a deployment that will be a split data center, one firewall in each. Layer 2 is stretched across each DC using EVPN at the Core. The plan was to use route-based redundancy using eBGP peering to an individual ASR in each DC which will then peer to the ISP, no multi-homing. The ASRs will run iBGP between them. The customer has a /19 so we will advertise a /20 at each DC and the /19. The high end of the /20 will be advertised out DC-1 and the low end announced out DC-2. The Palo's will receive the default from the ASR's. There are 2 Cores at each DC that are individual, no MLAG or VSS. Since the Cores are already running eBGP between them (EVPN utilizing ECMP running virtual gateway) we planned to peer with the core switches with eBGP running a /30 on each link to the cores and advertise the default route to the cores. Now to complicate things even more they have about 40 DMZs where the current ASA is the default gateway, not at the layer 3 device.


My questions are.

1. Should I use Failover IP on the Palo's on the south side to the cores and dynamic routing at the north side to the INET edge or just keep dynamic routing all over?

2. How will the static destination and bi-directional NATs work? (The documentation I have ready says to configure device-specific NAT rules when the two HA peers have unique NAT IP address pools.) As stated one DC will have the high end of the /20 and the other the low end and both will have the /19. Or can I bind the static NATs to both firewalls? If I can bind to both firewalls, I assume routing will control which path the traffic takes.

3. The DMZs, it looks like my only option here is ARP load sharing correct for the DMZ which would mean all that traffic comes in and out one firewall which complicates things depending on the NAT.

4. Can I mix the 3 different A/A types. Route-Based, ARP load sharing, Floating IP. I wouldn't think this would be a good idea though.

5. If I have to use ARP load sharing south to the Core, how can I determine the traffic for the NATs will hit the correct firewall for incoming or outgoing or will it matter?

Tags (1)
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!