04-19-2017 01:06 PM - edited 04-19-2017 02:28 PM
Hello,
I am trying to design a new solution in our network infrastructure. Here's are the requirements:
- Single ISP -- Two active Internet circutis --- (Corrected from Two ISPs to a single ISP)
- Current topology: Two Internet circutis connected to two cisco edge routers in active/active mode, both circuts are used.
- Two core switches: Two core switches connected to the two edge routers in active/active mode.
- Two HA PANs behind the two core switches.
- Goal: Move the two HA PANs in front of the two edge routers.
Questions: Since the HA PANs are in Active/Passive mode this means that we can't connect the two Internet circuits directly to the HA PANs to acheive Active/Active links to the Internet? Is this correct? If so, does that mean we will need another pair of HA PANs to be able to connect the two Internet circuits to each HA pair?
Thanks in advnace.
Best, ~sK
04-19-2017 01:15 PM
It's not an answer to your question, but why are you wanting to put the firewalls in-front of your edge routers?
04-19-2017 01:22 PM
@Sadik_Khirbash wrote:...
Questions: Since the HA PANs are in Active/Passive mode this means that we can't connect the two Internet circuits directly to the HA PANs to acheive Active/Active links to the Internet? Is this correct? If so, does that mean we will need another pair of HA PANs to be able to connect the two Internet circuits to each HA pair?
Thanks in advnace.
Best, ~sK
In an A/P deployment the operational interfaces on the P FW are disabled so you wouldn't be able to land one of your ISP connections on your secondary.
I've never done A/A, but based upon what I know, if you deploy a single A/A pair you could deploy a single FW pair connecting an ISPs into a FW. (If one FW failed at least you'd still maintain connectivity)
04-19-2017 01:22 PM
Sorry... Just made the correction. The PANs aren't sitting in fron of the edge router. They are sitting behind the core routers.
~sK
04-19-2017 01:34 PM
I guess I'm not following. What is the end location you're wanting your FWs to exist at?
This is very a level view of a potential network (Leaving out a DMZ and a fair amount of potential switches)...Youre saying that currently your firewalls sit between that last link (between your core routers and your internal LAN?)
04-19-2017 02:12 PM
Thanks.
I'm considering the following deployment where there's only one A/A pair. I hope this design will work.
ISP_01
^ ^
| |
v v
Edge_Rtr_01 <-----------> Edge_Rtr_02
^ ^ ^ ^
| \ / |
A/PAN <-----------> A/PAN
^ ^ ^ ^
| \ / |
Core_01 <-----------> Core_01
04-19-2017 02:19 PM - edited 04-19-2017 02:20 PM
if I am understanding the question, we can actually simplify it to a single ISP. I mean basically you want each firewall to be able to leverage having two available ISPs, correct? in that case, your approach would be the same as asking how you would configure a single ISP to work with a firewall pair in HA.
and I believe the response would be to have an intermediate switch (or two depending on your desire for switch HA), so that the ISP is plugged into one port and each PA is plugged into another port (for a total of 3), and then just scale that up for 2 ISPs (likely private VLANs on the switch for each set of 3 ports).
if that makes sense. i've had a day, so my brain is fried anyway. that's my excuse.
ETA: You will be warned and very well educated to try to avoid putting PA in active/active unless absolutely mandatory, such as in the case of resolving asymetric routing issues.
04-19-2017 07:34 PM
@bradk14 Not trying to answer for @Sadik_Khirbash but keeping two ISPs allows for vendor diversity...
In my deployment we've actually got 3 independent ISPs on wholly diverse paths. That come into my company. Maybe it's over-kill but hey...at least we can say we've got redundancy. lol
04-20-2017 06:45 AM
@Brandon_Wertzapologies if my point wasn't clear. I'm not disparaging or questioning the use of multiple providers, I was just trying to streamline the question. Whether you have 1, 2, 3 or 5 or more ISPs, the process should be the same. You shouldn't have to rely on each PA in an HA pair to be responsible for a single ISP connection, especially when you are setting out to have an Active/Active configuration just to accomplish it. The process should be the same for as many external connections as you may have and that's to use that switch before the firewall to be able to 'split' the connections and leave the passive firewall's ports disabled.
04-20-2017 09:17 AM - edited 04-20-2017 09:20 AM
Agreed...How you described it before (I think it was you) is how we're doing it.
Those 3 edge routers have connection points into switch(s) and our single HA-pair sits between those ISPs. Negating the need for 3 stand-alone HA pairs.
04-21-2017 06:15 AM
I deal with this by having an additional pair of switches between the Palos and Routers. I use HSRP on the switches for failover. if a circuit fails, the active PA can still find the route to whichever router is active. The Routers and the PAs all sit on the same vlan.
The routers themselves are using BGP with our registered AS number and multiple prepends to create a prefered route out our primary ISP. To handle a failure deeper in the ISP, but not at our local link, I use SLAs on the routers to shut down the BGP neighbour, which will force a cutover to my backup.
On the routers inside interfaces, I create a subinterface using HSRP so each router uses the same gateway IP, so no matter which router is active, the same gateway IP is responding.
This allows you to use Active/Passive in your config.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
