- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-12-2024 01:21 AM
hello,
we have setup Active/ Passive connected with cisco stacking 9500 with four links full-mesh as shown below:
Paloalto active:
PA(active) AE1 ========= cisco-1 switch (Etherchanel 10)
PA(active) AE1 ========= cisco-2 switch (Etherchanel 20)
Paloalto Passive:
PA(passive) AE1 ========= cisco-1 switch (Etherchanel 10)
PA(passive) AE1 ========= cisco-2 switch (Etherchanel 20)
=================================================
Is the connection and configuration is correct or i should create 2 channels from Paloalto side like this example?
08-12-2024 11:39 PM
Hello @khaled.mohamed
to me this configuration does not look ideal.
You are having 2 ports on PA side in a single port channel group and on Cisco side each port is in different port channel group. With this configuration you might have an issue with Cisco's EtherChannel guard kicking in to take ports into error disabled state.
Personally I would configure port channel 10 to Active Firewall and port channel 20 to Passive Firewall.
Paloalto active:
PA(active) AE1 ========= cisco-1 switch (Etherchanel 10)
PA(active) AE1 ========= cisco-2 switch (Etherchanel 10)
Paloalto Passive:
PA(passive) AE1 ========= cisco-1 switch (Etherchanel 20)
PA(passive) AE1 ========= cisco-2 switch (Etherchanel 20)
Also, passive Firewall will have data plane interfaces down, so there will not be any passing traffic of this port channel until there is failover event.
Kind Regards
Pavel
08-12-2024 11:39 PM
Hello @khaled.mohamed
to me this configuration does not look ideal.
You are having 2 ports on PA side in a single port channel group and on Cisco side each port is in different port channel group. With this configuration you might have an issue with Cisco's EtherChannel guard kicking in to take ports into error disabled state.
Personally I would configure port channel 10 to Active Firewall and port channel 20 to Passive Firewall.
Paloalto active:
PA(active) AE1 ========= cisco-1 switch (Etherchanel 10)
PA(active) AE1 ========= cisco-2 switch (Etherchanel 10)
Paloalto Passive:
PA(passive) AE1 ========= cisco-1 switch (Etherchanel 20)
PA(passive) AE1 ========= cisco-2 switch (Etherchanel 20)
Also, passive Firewall will have data plane interfaces down, so there will not be any passing traffic of this port channel until there is failover event.
Kind Regards
Pavel
08-13-2024 05:31 AM - edited 08-13-2024 05:32 AM
Great,
For LACP should be active or Passive ?on cisco and PA,,,
Thank you,
08-13-2024 05:43 AM
Hello @khaled.mohamed
thank you for reply.
I would configure LACP active on PA as well as Cisco side. I would also recommend to enable the LACP pre-negotiation LACP and LLDP Pre-Negotiation for Active/Passive HA by selecting check box under: LACP > High Availability Options > Enable in HA Passive State.
Kind Regards
Pavel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!