- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-10-2023 06:59 AM
I am planning a new site and want to make sure my detailed design will not be a problem. I will have two PA-440s in Active/Passive High Availability mode. These will connect to a stack of Cisco C9300s. I will have an LACP port-channel connecting one port of each Cisco switch (ports g1/0/1 and g2/0/1 in the stack to PAN Eth 1 on act and PAN Eth 2 on Passive....As we do not do Path or Link monitoring for HA, I am trying to avoid losing a Cisco switch in the stack and black-holing to a passive PAN, or the active PAN not having a functional switch to forward to. Therefore, I'm planning a LACP channel to span both Cisco switches in the stack but one of LACP members goes to Pt 1 of the active PAN and the other member goes to the passive PAN. (Please see diagram).
My question: The passive PAN does NOT send LACP packets- correct? The PAN's passive member in the cluster DOES provide ethernet carrier on the port, I want to make sure it does NOT send LACPDUs, and the Cisco switch sees it as an active member of the port-channel and forwards packets to a passive PAN...I just want to make sure...
Thanks!!
Mike
08-10-2023 07:17 AM
Hi there,
Why would you connect half of your port-channel to a device that is not going to pass traffic?
The typical way of connecting a active/passive HA pair to a stack of switches would be to take two ports from each firewall and connect them across the switch stack:
PA1: Eth1 -> gi1/0/1 - Po1
PA1: Eth2 -> gi2/0/1 - Po1
PA2: Eth1 -> gi1/0/2 - Po2
PA2: Eth2 -> gi2/0/2 - Po2
You would then configure pre-negotiation on the passive port-channel to ensure sub-second failover.
LACP and LLDP Pre-Negotiation for Active/Passive HA (paloaltonetworks.com)
cheers,
Seb.
08-10-2023 07:17 AM
Hi there,
Why would you connect half of your port-channel to a device that is not going to pass traffic?
The typical way of connecting a active/passive HA pair to a stack of switches would be to take two ports from each firewall and connect them across the switch stack:
PA1: Eth1 -> gi1/0/1 - Po1
PA1: Eth2 -> gi2/0/1 - Po1
PA2: Eth1 -> gi1/0/2 - Po2
PA2: Eth2 -> gi2/0/2 - Po2
You would then configure pre-negotiation on the passive port-channel to ensure sub-second failover.
LACP and LLDP Pre-Negotiation for Active/Passive HA (paloaltonetworks.com)
cheers,
Seb.
08-10-2023 09:15 AM
Seb., Agreed, I guess I wasn't thinking clearly this morning. I'm going back to your design/point. Thanks!
Mike
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!