LACP on Passive Palo Alto

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

LACP on Passive Palo Alto

L2 Linker

I am planning a new site and want to make sure my detailed design will not be a problem. I will have two PA-440s in Active/Passive High Availability mode. These will connect to a stack of Cisco C9300s. I will have an LACP port-channel connecting one port of each Cisco switch (ports g1/0/1 and g2/0/1 in the stack to PAN Eth 1 on act and PAN Eth 2 on Passive....As we do not do Path or Link monitoring for HA, I am trying to avoid losing a Cisco switch in the stack and black-holing to a passive PAN, or the active PAN not having a functional switch to forward to. Therefore, I'm planning a LACP channel to span both Cisco switches in the stack but one of LACP members goes to Pt 1 of the active PAN and the other member goes to the passive PAN. (Please see diagram).

My question: The passive PAN does NOT send LACP packets- correct? The PAN's passive member in the cluster DOES provide ethernet carrier on the port, I want to make sure it does NOT send LACPDUs, and the Cisco switch sees it as an active member of the port-channel and forwards packets to a passive PAN...I just want to make sure...

Thanks!!

 

Mike

1 accepted solution

Accepted Solutions

L4 Transporter

Hi there, 

Why would you connect half of your port-channel to a device that is not going to pass traffic?

The typical way of connecting a active/passive HA pair to a stack of switches would be to take two ports from each firewall and connect them across the switch stack:

 

PA1: Eth1 -> gi1/0/1  - Po1

PA1: Eth2 -> gi2/0/1  - Po1

PA2: Eth1 -> gi1/0/2  - Po2

PA2: Eth2 -> gi2/0/2  - Po2

 

You would then configure pre-negotiation on the passive port-channel to ensure sub-second failover.

LACP and LLDP Pre-Negotiation for Active/Passive HA (paloaltonetworks.com)

 

cheers,

Seb.

 

View solution in original post

2 REPLIES 2

L4 Transporter

Hi there, 

Why would you connect half of your port-channel to a device that is not going to pass traffic?

The typical way of connecting a active/passive HA pair to a stack of switches would be to take two ports from each firewall and connect them across the switch stack:

 

PA1: Eth1 -> gi1/0/1  - Po1

PA1: Eth2 -> gi2/0/1  - Po1

PA2: Eth1 -> gi1/0/2  - Po2

PA2: Eth2 -> gi2/0/2  - Po2

 

You would then configure pre-negotiation on the passive port-channel to ensure sub-second failover.

LACP and LLDP Pre-Negotiation for Active/Passive HA (paloaltonetworks.com)

 

cheers,

Seb.

 

L2 Linker

Seb., Agreed, I guess I wasn't thinking clearly this morning. I'm going back to your design/point. Thanks!

 

Mike

  • 1 accepted solution
  • 3784 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!