This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

BGP Active/Passive vs Active/Active argument

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

BGP Active/Passive vs Active/Active argument

KyleFreise
L2 Linker

‎12-18-2015 06:23 AM

I'm running into an argument with our carrier for our 2 ISP links that I need to clarify.

 

We currently have two 3050's with 2 ISP links coming into both devices in an Active/Passive configuration using PBR's to route traffic.  We are adding a third ISP and dropping the slowest link, followed by implementing a BGP configuration with both ISP's.

 

Now I was all gungho to move forward with our current Active/Passive setup by adding BGP peering and now our carrier is telling us we cannot do that because it could cause a broadcast storm.  I'm being told that flipping between the Active/Passive firewalls could cause a flood because 1 IP address for 2 MAC addresses is bad practice.  Maybe I'm not understanding this well, but I thought active/passive is like literally unplugging a switch port and moving it.

 

Our carrier wants us to move to Active/Active with 2 IP addresses per ISP; one for each PAN-3050 peer.

 

I really do not see the purpose of moving to Active/Active as each PAN would then have an active BGP peer at a time, so anytime I perform maintence I would be bringing down one of the peers.  In our environment Active/Passive fits in great with our maintenance plans.

 

Any extra information on BGP experiences would be greatly appreciated.

1 person had this problem.
0 Likes Likes
1 REPLY 1

glastra1
L4 Transporter

‎12-19-2015 09:59 AM - last edited on ‎03-20-2023 01:00 PM by Community Manager

Hi,

 

First of all the mac addres in a HA cluster  are virtual so it'll be 1 ip per 1 virtual mac address, 

https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Calculate-a-Virtual-MAC-Address/ta-p/5...

During the failover the passive firewall send gratuitous arp that updates the mac table in the switches, but the mac address is the same so there's not need to clear the arp table in the layer 3 devices or your bgp peers.

Also its possible to achieve a subsecond failover in bgp active/passive if you enable graceful restart on both BGP peers,

https://live.paloaltonetworks.com/t5/Management-Articles/Unable-to-Achieve-Sub-Second-Failover-Times...

Moving to HA A/A is a big step and will require more planning regarding session setup, session owner, distribution method...

 

Regards,

Gerardo.

0 Likes Likes
  • 4895 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks