This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

High Availability across a Fibre connection

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

High Availability across a Fibre connection

BBHLTD
Not applicable

‎10-08-2012 03:43 AM

We are preparing to configure High Availability in Active Active mode on our PA-2020 firewalls in London.  Our first firewall sits in our main site in central London with our DR site sitting outside central London connected together via a 1Gbp Fibre.

Both sites have a 200Mpb Internet connection so it would be good to make use of both.  What options have we got for making best use of the pipes?

What would the best way to configure H.A be?  We are unable to directly attach the two Firewalls together so would creating a VLAN for HA work?

I have attached a Diagram of our Network that may halp answer any questions,  i'll probably have some more wuestions to ask so will put them on here when I can

Cheers

Joe

Labels:
Preview file
171 KB
0 Likes Likes
2 REPLIES 2

licenselu
L4 Transporter

‎10-08-2012 03:59 AM

Hello,

I have such configuration for a lot of customers (mainly banks).

We use VLAN to provide L2 connectivity between the sites.

One VLAN for Control plane (2 interfaces for redundancy) and one VLAN for Data plane (also 2 interfaces for redundancy).

If you use Cisco switches, disable IGMP snooping for theses VLANS. This is not required but it's just an advice...

PS : Putting the name of the company inside the doc its' not really a good idea...

Regards,

HA

mikand
L6 Presenter
In response to licenselu

‎10-15-2012 08:37 PM

Another setup is to use both PA boxes as independent setups with no HA in between.

You will lose the session sync but this way the routers before and after PA will take the loadbalance decisions (and along with IP-SLA through the PA boxes the external routers can decide which site to announce to the Internet or whatever you have on the outside and the internal routers could decide which site should be used to reach outside).

In order to have equal setup (like policies etc) on both boxes you can use Panorama.

You can also use PA in VWIRE mode (but then the dmz vlaning will have to be taken care of the internal router on each site).

0 Likes Likes
  • 3057 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks