High Availability with Virtual Wires?

nugentec · ‎09-07-2010

Hi,

I've been looking everywhere and I can only find information on virtual wires being used for path-monitoring in HA. What I'm looking for is if when in HA, do the virtual wires fail over? If they do fail over is there a best practices document detailing how and what type of interfaces fail over? Fail over of a L3 interface makes sense since the new firewall will answer ARP requests for the failed firewall, but how does that work with virtual wires?

Thanks,

Frank

jpa · ‎09-09-2010

Frank

With Vwires the firewall behaves as physical layer device. Few things to keep in mind

- Make sure you have the Link State Pass Through confiugued on the VWire. When one of the interfaces in the vwire fails, the other one will be brought down. So essential both the upstream and downstream devices connected to the VWIRE will realize the failure

- With HA, the link state on the passive device is DOWN. So the ports on switches or routers connected to the passive device will always be down state. The links on the active device will be up

- You can either configure link monitoring on path-monitoring on the VWIRE.With link monitoring and Link State Pass Through confiugued on the VWire if one of the links fail, the other link in the vwire will also fail and the device will change state to non-functional.

As for the configuration, refer to the document at https://live.paloaltonetworks.com/docs/DOC-1160. The same procedure applies for Vwire.

_Jerish

dcurrie · ‎09-09-2010

I guess I'm still a little confused on how to wire this up to an HA pair. I have a VLAN for my subnet my WAN router is on. Lets say vlan 10 and my WAN router IP is 192.168.10.254 and my data center switch virtual VLAN ip address is 192.168.10.253.

Cabling is no problem since it is going straight to one PAN virtual port, and then through the PAN to the router's LAN port.

router LAN <--------------> PAN#1 virtual wire p1 ---- PAN#1 Virtual wire p2 <------------------> data center switch

But how do I wire in the second PAN to this?

thanks

blacksan · ‎09-09-2010

try this:

Create a isolate vlan (port access) on your cisco switch
assign three ports to that vlan
1. Plug the Router
2. Plug PA-1 - untrust side
3. Plug PA-2 - untrust side
assign two ports on your cisco switch for the main routing
1. Plug PA-1 - trust side
2. Plug PA-2 - trust side
Verify these Cisco port settings:
1. switch port fast
2. no cdp
3. fix the speed if possible (1000/Full)

If you require trunk for multiple vlans then you will need a dedicated switch between the router and the PA pair.

adevine · ‎05-16-2011

As the virtual wire is essentially connecting these two VLANs together, did you use crossover cables cables on one of the sides from PA to the switch? As fixing the port speed/duplex disables Auto-MDIX...

I need to do this for a similar scenario, but I have a Cisco router one side and a Cisco ASA on the other. Without the isolate VLAN the ASAs fail to form a resilient pair as with the ASA directly cabled to the PAN the standby ASA has one of its interfaces link-down so the Secondary is shown as failed.

So I will have:-

ASA <---> Isolate VLAN <---> PAN Untrust <-> PAN Trust <-x-> Data Centre VLAN <---> Router

This is so I can have the PAN in the traffic path performing web-filtering etc but use the ASA for L3 functions. I have valid reasons for this topology, testing the failover of both the ASA and PAN independantly should be interesting!

Cheers

Sly_Cooper · ‎04-23-2013

- You can use the straight cables for vWire connections. You will need cross-over for HA connections between PAN (PA-5000). I can make out that you have ASA HA pair. How many router or connections from router that you have? Check thread as well where we had similar discussion.

High Availability with Virtual Wires?

High Availability with Virtual Wires?

Show your appreciation!