This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Active/Passive PAs Connected To VPC Nexus 7Ks

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Active/Passive PAs Connected To VPC Nexus 7Ks

DamianCleveland
L1 Bithead

‎03-17-2018 01:25 PM - edited ‎03-17-2018 06:45 PM

This was also posted on the Cisco forum because I'm not sure yet what is the problem's root cause. So I'd appreciate insigt from the Palo experts as well. Below is the problem:

 

Each 7K can ping the active-pal. Active-Pal is connected to 7K A, so  Active-Pal’s mac appears on 7K A’s interface. 7K B, again, can also ping Active-Pal. Of course, Active-Pal’s mac doesn’t appear on 7K B's interface connected to Pass-Pal, but Active-Pal’s mac does appear in 7K B’s mac address table. My assumption is that 7K B is reaching Active-Pal via the VPC pair link. Here’s the trouble, while 7K B can ping Active-Pal from its .70 address, hosts in the environment that uses Nex2 as it’s first hop cannot. Hosts using 7K A reach Active-Pal without problem. If the 7K B pass-pal interface is disabled, active-pal becomes reach-able from hosts in the environment.

 

There is now a move planned, that would relocate the Pal's. Should the existing, inside layer 3 connections be maintained, or should said links be converted to layer 2? I understand that the answer to this question might be revealed in the outcome of the above analysis.

 

 

**********************

 

Not shown in the diagram is a single edge router, so there's no chance of assymetric routing there. My understanding is that the best Palo design here would be Active/Passive. True or false?

 

Also is the point to point layer 3 interface design the best approach? Should the nexus links be layer 2 interfaces?

 

Thanks for the help.

 

 

 

 

 

Traffic_Flow.JPG

0 Likes Likes
1 REPLY 1

pulukas
L7 Applicator

‎03-18-2018 09:05 AM

Yes, PAN recommends keeping clusters Active/Passive unless there are certain circumstances that require an Active/Active design.

 

The point to point routed link may or may not be best depending on the nature of your routing and zone configuration but is frequently a good practice.

 

Your basic issue here is that VPC or AE/LAG connections on the Cisco side are connecting to what is essential a Redundant Ethernet connection on the PAN side.  So on the Cisco side you would be using the "backup" interface feature which is generally the IOS implementation of Redundant ethernet.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes
  • 6902 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks