01-20-2016 10:23 AM
Hi all --
I curently have one PA200 with all four eth ports taken (internal/trust network, internet/untrust, dmz, voip vlan), as well as the mgmt port connected to the internal network. I'm looking to get a disaster recovery plan in place, but, as far as I understand (from about here to here |--| ), I would need one of the eth interfaces to connect to a second PA200 to utilize HA-Lite.
Since I can't spare a port, would another option be to: get a second PA200, import the current running config on the production PA, then just put the spare PA in the closet; then if the production PA ever dies, just replace it with the spare PA and *poof* no one sees a difference?
Is that a sound plan? I would think another benefit to this would be in case of a fire, etc, the spare PA could be stored in our other building.. but that could just be me trying to convince meself...
Thoughts?
Thanks
-- michael~
01-20-2016 10:55 AM
I'm not certain of the phsyical limitation (if any) on the PA-200 with sub-interface limits, but technically you could collapse all interfaces into one interface with 4 sub-interfaces with that one interface on the network "trunked" with each VLAN allowed and use VLAN tagging in the PA-200 to separate out your traffic with each subinterface in it's own Zone as necessary.
The cold spare would work, but you'll have to deal with moving licenses (if using any). You also run the risk of config deviation if you just image that box from a given point in time.
01-20-2016 10:29 AM
Do you have a requriement for physical port separation? Can you collapse ports into sub-interfaces, or would that voilate some local policy/requirement you might have?
01-20-2016 10:42 AM
You can bundle the interface if you can. Check the following document:
https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/networking/lacp-settings.html
To export and import the configuration refer to the following document:
Hope this helps!
01-20-2016 10:47 AM
I haven't palyed with subinterfaces before... after a brief read, I'm guessing I could combine the trust (192.168.1.0/24) and the voip vlan (192.168.100.0/24) into the eth0 port, as long as the cxn from the switch is config'd as a trunk? which would even save an additional switch port, yeah?
Sidenote: in case the boss does want the spare stored in another building, would the swap-out idea work as well?
Thanks
01-20-2016 10:55 AM
I'm not certain of the phsyical limitation (if any) on the PA-200 with sub-interface limits, but technically you could collapse all interfaces into one interface with 4 sub-interfaces with that one interface on the network "trunked" with each VLAN allowed and use VLAN tagging in the PA-200 to separate out your traffic with each subinterface in it's own Zone as necessary.
The cold spare would work, but you'll have to deal with moving licenses (if using any). You also run the risk of config deviation if you just image that box from a given point in time.
01-20-2016 11:01 AM
Yes you will get extra port both idea will work. Make sure in second plan you should do cabling properly.
01-20-2016 12:08 PM
Thank you, both.. I'll probably go with the cold-spare until I can figure out the sub-interface config. These PA's are pretty neat! Always learning... 😄
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
