PA Active/Passive and Cisco stacking LACP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA Active/Passive and Cisco stacking LACP

L1 Bithead

hello,

 

we have setup Active/ Passive connected with cisco stacking 9500 with four links full-mesh as shown below:

 

Paloalto active:

PA(active)  AE1 ========= cisco-1 switch (Etherchanel 10)

PA(active)  AE1 ========= cisco-2 switch (Etherchanel 20)

 

Paloalto Passive:

PA(passive)  AE1 ========= cisco-1 switch (Etherchanel 10)

PA(passive)  AE1 ========= cisco-2 switch (Etherchanel 20)

=================================================

Is the connection and configuration is correct or i should create 2 channels from Paloalto side like this example?

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello @khaled.mohamed

 

to me this configuration does not look ideal.

 

You are having 2 ports on PA side in a single port channel group and on Cisco side each port is in different port channel group. With this configuration you might have an issue with Cisco's EtherChannel guard kicking in to take ports into error disabled state.

Personally I would configure port channel 10 to Active Firewall and port channel 20 to Passive Firewall.

 

Paloalto active:

PA(active) AE1 ========= cisco-1 switch (Etherchanel 10)

PA(active) AE1 ========= cisco-2 switch (Etherchanel 10)


Paloalto Passive:

PA(passive) AE1 ========= cisco-1 switch (Etherchanel 20)

PA(passive) AE1 ========= cisco-2 switch (Etherchanel 20)

 

Also, passive Firewall will have data plane interfaces down, so there will not be any passing traffic of this port channel until there is failover event.

 

Kind Regards

Pavel

   

Help the community: Like helpful comments and mark solutions.

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello @khaled.mohamed

 

to me this configuration does not look ideal.

 

You are having 2 ports on PA side in a single port channel group and on Cisco side each port is in different port channel group. With this configuration you might have an issue with Cisco's EtherChannel guard kicking in to take ports into error disabled state.

Personally I would configure port channel 10 to Active Firewall and port channel 20 to Passive Firewall.

 

Paloalto active:

PA(active) AE1 ========= cisco-1 switch (Etherchanel 10)

PA(active) AE1 ========= cisco-2 switch (Etherchanel 10)


Paloalto Passive:

PA(passive) AE1 ========= cisco-1 switch (Etherchanel 20)

PA(passive) AE1 ========= cisco-2 switch (Etherchanel 20)

 

Also, passive Firewall will have data plane interfaces down, so there will not be any passing traffic of this port channel until there is failover event.

 

Kind Regards

Pavel

   

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Great,

For LACP should be active or Passive ?on cisco and PA,,,

 

Thank you,

Cyber Elite
Cyber Elite

Hello @khaled.mohamed

 

thank you for reply.

 

I would configure LACP active on PA as well as Cisco side. I would also recommend to enable the LACP pre-negotiation LACP and LLDP Pre-Negotiation for Active/Passive HA  by selecting check box under: LACP > High Availability Options > Enable in HA Passive State.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 906 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!