This is my first time having the luxury of two ISP's and redundancy in all hardware - I was tryingt to research best practice for wiring the PA pair as active/passive router/nat - I found some mentioning of using port channels to achieve local redunancy, but I don't see much info on it, doesnt seem widely used.
Please see image below about my thoughts of physical and logical.
Some said it would be much simpler if I just ran each ISP through one router direct to one port and let PA do the BGP, but to me that still doesnt solve redundancy on the trunk links to the core - would be nice to just use Port channels, guess it could just be by secondary route interface (was thinking RSTP probably not a good plan).
any comments and suggestions appreciated
Looks like a good drawing. What purpose do the Routers serve? Also is there a need to have the switches between the routers and the PAN's?
Me personally I like to keeps things as simple as possible. So for me it would the the ISP devices directly into the PAN's and from the PAN's to the 6840's. obviously I dont know you physical layout, ie different buildings etc that could be a factor.
Thank you for your response - the original idea was to have full hardware redundancy, both routers handle BGP to both ISP's - one of the uses of the routers is some specific policy routing for certain traffic which I have had a hard time doing on PA in the past (that might just have been me) - and also, our corporate mothership requires a few things (they spec'd most of the hardware except the PAs).
I ran into some issues with IP space for the ISP's only having /30 to each, and hsrp/vrrp needs interface ones, and as far as I could tell they should be on the same subnet - so for now I did simplify the design, a lot, one isp bound to one router, took out the inbetween switch- I am using LACP from Palo to Core, this works pretty well, on PO access ports with portfast the failover takes about 5 seconds for traffic to pass, which is good enough for me (Trunks dont allow portfast so its 40'ish seconds on that).
so here is the design i ended up with - it is not operational yet but assume it will stay this way or close
yeah there are double up to the core (core is 2x 6840 vss, so spanning port-ch from each palo) - I have the main traffic on access ports, the second set is for some trunks of other things, dmz/public etc
Trunks dont allow portfast so its 40'ish seconds on that
Don't know if this is supported on your 6840s, but on cisco hardware also this command is available:
spanning-tree portfast trunk
thank you vsys - yeah on the 6840's my only option is edge or network, and when enabling on edge it states it will not work on a trunk - so it is as expected.
I havent tried "network", i suspect that may be similar to trunk perhaps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!