PA200 disaster recovery option...?

cancel
Showing results for 
Search instead for 
Did you mean: 

PA200 disaster recovery option...?

L2 Linker

Hi all --

 

I curently have one PA200 with all four eth ports taken (internal/trust network, internet/untrust, dmz, voip vlan), as well as the mgmt port connected to the internal network.  I'm looking to get a disaster recovery plan in place, but, as far as I understand (from about here to here |--| ), I would need one of the eth interfaces to connect to a second PA200 to utilize HA-Lite.  

 

Since I can't spare a port, would another option be to:  get a second PA200, import the current running config on the production PA, then just put the spare PA in the closet;  then if the production PA ever dies, just replace it with the spare PA and *poof* no one sees a difference?

 

Is that a sound plan?  I would think another benefit to this would be in case of a fire, etc, the spare PA could be stored in our other building.. but that could just be me trying to convince meself...  

Thoughts?

Thanks

-- michael~

1 ACCEPTED SOLUTION

Accepted Solutions

I'm not certain of the phsyical limitation (if any) on the PA-200 with sub-interface limits, but technically you could collapse all interfaces into one interface with 4 sub-interfaces with that one interface on the network "trunked" with each VLAN allowed and use VLAN tagging in the PA-200 to separate out your traffic with each subinterface in it's own Zone as necessary.

 

The cold spare would work, but you'll have to deal with moving licenses (if using any).  You also run the risk of config deviation if you just image that box from a given point in time.

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

Do you have a requriement for physical port separation?  Can you collapse ports into sub-interfaces, or would that voilate some local policy/requirement you might have?

L5 Sessionator

I haven't palyed with subinterfaces before...  after a brief read, I'm guessing I could combine the trust (192.168.1.0/24) and the voip vlan (192.168.100.0/24) into the eth0 port, as long as the cxn from the switch is config'd as a trunk?  which would even save an additional switch port, yeah?

 

Sidenote: in case the boss does want the spare stored in another building, would the swap-out idea work as well?  

Thanks

I'm not certain of the phsyical limitation (if any) on the PA-200 with sub-interface limits, but technically you could collapse all interfaces into one interface with 4 sub-interfaces with that one interface on the network "trunked" with each VLAN allowed and use VLAN tagging in the PA-200 to separate out your traffic with each subinterface in it's own Zone as necessary.

 

The cold spare would work, but you'll have to deal with moving licenses (if using any).  You also run the risk of config deviation if you just image that box from a given point in time.

View solution in original post

Yes you will get extra port both idea will work. Make sure in second plan you should do cabling properly.

L2 Linker

Thank you, both..  I'll probably go with the cold-spare until I can figure out the sub-interface config.  These PA's are pretty neat!  Always learning...  😄

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!