Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
11-26-2021 03:36 AM
How Palo alto HA and Cisco HSRP work together ?
For example
===========
Here Palo alto HA is upstream devices ( lets consider PA1 and PA2 are in HA setup).
Cisco Switches are catalyst 6509 or nexus 5 or 6K ( SW1 and SW2)
SW1 is connected to PA 1 and SW2 is connected to PA2
in SW1 and SW2 HSRP is configured to maintain gateway high availability for both upstream ( PA firewalls) and downstream( end hosts)
Static routing is configured between switches and upstream Devices( PA firewalls). As per the routing , if there is any traffic coming from end hosts will be forwarded to the upstream( PA active firewall). likewise , for the return traffic from the firewall will be forwarded to active switch using HSRP virtual IP address and Mac address.
if we do manual HA failover between PA firewalls for some reasons and make PA2 now active but still going to keep SW1 active for HSRP like below
SW1( active for HSRP) ------>PA1 ( standby)
SW2( standby for HSRP)----->PA2(Active)
1. in this case how traffic flow would be ? whether it would create any impact to the traffic flow
2. Do we also need to do HSRP failover between switches when we do HA failover between PA firewalls ?
Kindly provide your suggestion on this
11-26-2021 05:36 AM
Thank you for posting question @perumalj
There is no need to change HSRP priority to make other switch active when there is a failover of PA firewalls. The scenario you described is still functional regardless which HSRP switch is active at the time.
In the case of this scenario:
SW1( active for HSRP) ------>PA1 ( standby)
SW2( standby for HSRP)----->PA2(Active)
Traffic from PA2 will depending on your Layer 2 topology find its default gateway (HSRP Active switch) in SW1 by using interlink between SW2 and SW1.
Traffic from end host to PA, will have this flow: End user's traffic will land on SW1 (HSRP Active switch), static route's next hop IP will be resolved to MAC address of PA2 (Active Firewall), based on MAC address table, it will find outgoing interface interlink between SW1 and SW2, then traffic will arrive PA2.
Kind Regards
Pavel
11-26-2021 03:14 PM
Thank you for reply @perumalj
The behavior will be the same regardless you are going to use Catalyst or Nexus. The only difference will be if you enable vPC on Nexus side and configure port-channel on PA side, then HSRP will act as active active.
I have not found any document that exactly explains this and there is no best practice/design guide for PA <-> Nexus/Catalyst, however I have this deployment in several locations using Nexus or Catalyst depending on site and failover on PA works fine without any changes to HSRP.
Kind Regards
Pavel
11-26-2021 05:36 AM
Thank you for posting question @perumalj
There is no need to change HSRP priority to make other switch active when there is a failover of PA firewalls. The scenario you described is still functional regardless which HSRP switch is active at the time.
In the case of this scenario:
SW1( active for HSRP) ------>PA1 ( standby)
SW2( standby for HSRP)----->PA2(Active)
Traffic from PA2 will depending on your Layer 2 topology find its default gateway (HSRP Active switch) in SW1 by using interlink between SW2 and SW1.
Traffic from end host to PA, will have this flow: End user's traffic will land on SW1 (HSRP Active switch), static route's next hop IP will be resolved to MAC address of PA2 (Active Firewall), based on MAC address table, it will find outgoing interface interlink between SW1 and SW2, then traffic will arrive PA2.
Kind Regards
Pavel
11-26-2021 06:00 AM
@PavelK , Thank you for your reply.
May I know what you have explained is same for both cisco catalyst and cisco nexus switches ?
Could also share if there is any document ?
11-26-2021 07:05 AM
I agree with your answer.
I will be looking forward to hearing your response for the following
May I know what you have explained is same for both cisco catalyst and cisco nexus switches ?
Could also share if there is any document ?
11-26-2021 03:14 PM
Thank you for reply @perumalj
The behavior will be the same regardless you are going to use Catalyst or Nexus. The only difference will be if you enable vPC on Nexus side and configure port-channel on PA side, then HSRP will act as active active.
I have not found any document that exactly explains this and there is no best practice/design guide for PA <-> Nexus/Catalyst, however I have this deployment in several locations using Nexus or Catalyst depending on site and failover on PA works fine without any changes to HSRP.
Kind Regards
Pavel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
