This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

ARP load sharing

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

ARP load sharing

BBHLTD
Not applicable

‎10-22-2012 08:13 AM

We are planning to set up HA in Active Active mode.  The boxes sit in separate locations with Layer 2 network between them.  Currently our guest Network site on our second PA-2020 with our LAN on the first.  Wer had to put the guest Network on second box as we had an issue where we was filling the arp table.

When you run Active Active how does arp load sharing work?  Do you get twice the size arp table?  If one firewall went down do and all traffic is hitting one firewall   do you still get twice the arp table?

Hope this makes sense.

2 REPLIES 2

mbutt
L5 Sessionator

‎10-22-2012 02:40 PM

Hi,

Regardless of A/P or A/A high availability. Both the devices should never be configured to handle the load of more than one device. In case one device goes down the other will have to handle the load of both the devices. The table size will not increase with A/A for a single device. Hopefully this makes things more clear.

Please let us know if this helps.

Thank you

Numan

mikand
L6 Presenter
In response to mbutt

‎10-23-2012 01:27 AM

A workaround could be to have the switch/routers before/after your cluster of PA's to do the loadsharing instead.

This way each PA is a standalone setup (you can use Panorama to get the same security policies out to the boxes) as described in: http://www.paloaltonetworks.com/literature/solution-briefs/tech-partners/arista.pdf (this can of course be aschieved with other components than Arista equipment - as long as your aggregated interfaces uses srcip as loadsharing hash on one end and dstip on the other, that is so the traffic will always takes the same path until that path fails and gets loadbalansed to another path)

The drawback is of course if you have fully utilized both paths and one path fails then you will get packetdrops because there is not enough of bandwidth available between outer and inner router/switches.

Another drawback is because each box is standalone then there is no session sync which gives that when box1 fails and all traffic goes through box2 then the clients who previously had their sessions through box1 will have dropped sessions and must reinitialize (which shouldnt be a problem but there are plenty applications out there who just cannot deal with that their tcp session suddently must reinitialize).

  • 2130 Views
  • 2 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks