Active/Passive vs. Active/Active

JayBlanchard · ‎11-24-2015

I am currently working on a network redesign project with all Cisco gear. Our network engineer is opting for a complete HSRP Active/Active environment. According to all deployment documentation, HA Active/Passive seems to be the preferred methed for the Palo Alto's. I see that the PA's do support A/A HA using VRRP, so I do not see a configuration issue. Can someone provide the pro's and con's of deploying the PA's in an A/P vs. A/A environment? Are there any performance implications? Are there any issues when using the PA's in an A/A configuration for VPN termination, etc...?

jeremy.larsen · ‎07-23-2019

If you are using ECMP what is the point os HSRP? Doesn't that kind of defeat the purpose of ECMP by forcing your path one direction?

Stevenjwilliams83 · ‎07-23-2019

I do not follow?

Each active hsrp peer is connected to each palo alto, so any routes beyond the palo alto can be reach through both palo altos.

Stevenjwilliams83 · ‎07-23-2019

Full mesh iBGP so Palo1 (172.16.63.3) knows that network 192.168.21.0/24 lives at Core01 (172.16.63.1) and Core02 (172.16.63.2), same for Palo2.

But now I think I see what you are saying.....the traffic is only going to be forwarded to the active peer for that hsrp group correct? I wonder if I am seeing issues because its trying to send to both peers? So my 9500s are the only ones that seem to need to use ecmp and not the palos.

But I have things connected northbound to both palos which ecmp would be good for..So not sure.

jeremy.larsen · ‎07-23-2019

I'm just saying usually you don't mix both HSRP and ECMP. HSRP - Layer 2 failover mechanism. ECMP - Layer 3 load balancing mechanism.

jeremy.larsen · ‎07-23-2019

Have you enabled ECMP on the Palos? If you are using iBGP instead of eBGP, there are extra hoops to jump through when enabling ECMP.

Active/Passive vs. Active/Active

Active/Passive vs. Active/Active

Show your appreciation!