Active/Passive vs. Active/Active

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Active/Passive vs. Active/Active

L0 Member

I am currently working on a network redesign project with all Cisco gear. Our network engineer is opting for a complete HSRP Active/Active environment. According to all deployment documentation, HA Active/Passive seems to be the preferred methed for the Palo Alto's. I see that the PA's do support A/A HA using VRRP, so I do not see a configuration issue. Can someone provide the pro's and con's of deploying the PA's in an A/P vs. A/A environment? Are there any performance implications? Are there any issues when using the PA's in an A/A configuration for VPN termination, etc...?

41 REPLIES 41

L7 Applicator

Unless you have asymmetric routes (where traffic leaves one firewall and the only way back is through a different firewall), then you should use Active/Passive HA.  Active/Active was designed for networks with asymmetric routing.  For all other cases, use Active/Passive.   

L7 Applicator

PAN does strongly prefer active/passive.  But asymmetrical routing is not the only case where  active/active is required.

 

Active/active is required is if your infratructure requires communication be permitted between devices connected to the secondary firewall at all times.  With PAN Active/Passive the secondary (passive) node has interfaces connected, link is up but no traffic will pass until the device becomes active.

 

This is great for preventing layer 2 loops when the active and passive device are simply an alternate path for the same traffic.

 

But if you network design is fully active/active and therefore there is traffic such as bgp, vrrp, or other protocols that need to communicate on secondary links at all times, you must have the PAN cluster setup as active/active.

 

And if the network design is fully active/active where the traffic load is distributed across both paths, then active/active is also required.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Here's a link to the high-availability section of the PAN-OS documentation:

 - https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/high-availability/ha-concepts.html#1...

 

From there you can read Palo Alto Networks' recommendations, along with links to design guides and tech notes relating to both methods of high availability.  

I am thinking of running active/active on a pair of 5250's in the network core due to the fact that southbound is a pair of core switches that are running alternating HSRP groups or even GLBP. If both firewalls are active then I can leverage ECMP from Core Switches to Core Firewalls. Anyone running Palo Altos in the core active/active?

yes we are alto running active active in vwire mode.

MP

Help the community: Like helpful comments and mark solutions.

I have ran them active/active at the core.  I scratched all Layer2 trickery (HSRP,VRRP,etc) and just incorporated them into my OSPF area.  You have to think of them as 2 routers that just happen to shared a session table.  You can then inject default 0.0.0.0/0 routes from both.  It doesn't matter which default route is preferred in your route tables (and yes, ECMP works awesome).  If PANa is the session owner but PANb receives the packet, it will forward the packet over to the session owner (HA3/HSCI).  There is only one catch in this scenario.  If one of the PANs fail, the failover is instantaneous.  Problems can arrive when the failed member rejoins.  If the OSPF/BGP,etc protocol come up before the firewalls are completely synced, you will get some drops.  To fix this, you can manually or script the ports connected to the PANs to turn on only after a full sync has occurred.  (This last part in thanks to my Panorama instructor)

Were you using them as your core routing point for all your vlans? Or were you running a core pair of switches southbound and terminating SVIs there?

I've done both.  My preference is to run OSPF (or choose your dynamic routing protocol) to switches that support sub-interfaces (ie - most Junipers) thus severing any Layer 2 / bridge loop goofiness and shrinking your broadcast/failure domains.  These sub-interfaces are then segmented by VRF/vRouter/(choose your terminology) which are then assigned to security zones on the PAN.  Then, interVRF matches interZone and intraVRF matches intraZone.  Anything traversing between VRFs must hit the PAN and be processed (ie - VRF Segmentation)

Where are you running you vlan gateways?

Gateways are pushed down by OSPF.  You would most likely be pushing the local VLAN GW with DHCP.  OSPF would take care of it from there.  Does that make sense?

So your SVIs run on layer 3 interfaces/sub-interfaces on the Palos. I would be running mine on a pair of Cat9ks one layer southbound. 

You can either span the vlan all the way through to the PAN subinterfaces or route between the PAN & the 9Ks.  I prefer routing between the two and like I mentioned before, breaking up my security zones using VRF and redistributing your default gateway(s) with a dynamic routing protocol.  You can do VRF on the 9Ks all day long.

So what are you doing to redistribute routes and default routes into vrfs and global route tables?

That depends on your design and preferences.  You can create a 0.0.0.0/0 static route on the PAN and redistribute from there.  If you are running internet facing routers, you can redistribute from there back into the PAN.  Or, you can have your ISP redistribute the default into your internet facing routers and back down through.  It's really up to you.

  • 37054 Views
  • 41 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!