Moving a Layer Two Switch between FW pair and Edge Router from ISP Issue


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

L0 Member

Moving a Layer Two Switch between FW pair and Edge Router from ISP Issue

We are attempting to move a pair of VCP'd layer 2 switches between our ISP's CIENA and our PA 5220 pair.  Our ISP is only giving us a single handoff so we were attempting to plug the handoff into the layer 2 switches (nexus 9ks with VCP) on a access port with vlan 602.  The switches also have trunk ports connecting to the Palo Alto's with LACP.

We were able to see arp entries for the Palo Alto and the Ciena from the Nexus and could ping the Ciena BGP peer address from the palo alto.  Unfortunately the BGP session would only say connected and never established.  

The ISP was unhelpful and said that in their experience that type of setup doesn't work and that in the rare cases it does you have to do configuration on your side.  (Suprise suprise!). 

Any thoughts?  We tried raising hop count dramatically, resetting ISP router in case it was an arp caching issue on their side, etc.

L7 Applicator

I assume the ISP is not able to give you dual handoff in the same layer 2 domain.  This is our first approach to this type of request as an ISP.


I also assume that the PA cluster is active/passive with a single peering.


Does the peering work when directly connected to one PAN or was that not attempted?

This would be good information to have even if it cannot stay that way.


It is not clear if this is a peer direct or multihop without the move.  I would assume this is a direct link peer.  If so, setting multihop won't make any difference and that parameter does need to match on both peers if it is multihop.


Running a pcap during the failure should give more detailed information on the issue the instructions are here.




Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!