HA A/A or A/P

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HA A/A or A/P

L3 Networker

Hello All,

I have such situation where considering in which mode to put HA PA configuration. As you can see on drawing, customer consider to put PAN in sandwich of VRRP cluster and vLAG virtual switch. VRRP has one virtual IP and MAC, and all destined packets from host went trough both active links. So far I don't know hashing algorithm of switch forwarding, but certainly both paths were used for packets forwarding.   From perspective of active and redundant paths between them, only configuration which is considered is A/A in Virtual Wire mode so far. Is this only way to put them in sandwich or somehow A/P will be acceptable?

This is under concerns for future additional configuration, where ex. we need to configure L2 interfaces to inspect something on that level...

Untitled.jpg

3 REPLIES 3

L7 Applicator

You cannot use Active/Passive in this scenario as the passive device links will not pass traffic.  So you are correct that Active/Active is your only option.

In general I create very specific rules without inspection profiles for the communication between two routers that go through the Palo Alto devices.  This insures that the vrrp, bgp or other protocol communication directly between two network devices is never accidentally touched by inspection.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Yes, seem that can't avoid A/A configuration in this scenario. However, you mentioned communication policies between two routers and corresponding sec policies, in that way I'm curious about L2 traffic ex. CDP traffic between two switches. How can we see that traffic on Vwire mode, if we insert PAN in Vwire mode?

Thanks!

For the policies, think of the v-wire setup in the PA as a cable between the two other network devices, in your case the router and the switch.  If the packet would appear on the cable then the PA will see the packet on the interface facing the forwarding device.  Thus a security policy is needed to permit that packet to be forwarding out the opposite v-wire port the other network device.

You will see all the broadcast and general network traffic coming from the connected ports.

If you are not sure what is there you can simply add an allow all type of security policy for both directions and include logging.  Then all the traffic will be shown in the monitor traffic logs area for your review.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 3009 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!