09-17-2015 11:27 AM
Hi Team,
I am after some guidance on how to deploy a pair of PA3020's using vwire. Upstream connects to ASA in L3 mode and downstream connects to Nexus5K.
Some one told me to plug in PA01 to ASA01 and PA02 to ASA02, likewise for N5K's. Is this the best way to do it? I thought it would be better to have some sort of switching devices to have the connections coming in to it.
Thank you
Bilal
09-18-2015 09:30 AM
Hello,
This is just my opionon, however I rty to leave switches out of play since there can be issues with STP or loops. I try and strick with layer 3 and have a routing protocol handle the load.
Regards,
09-19-2015 08:55 AM
With your Palo Alto in v-wire mode, I would directly connect to the two ASA devices. This provides simplest set of failover scenario planning.
In this case you will need to be sure that your ASA cluster can detect a failure of your downstream Palo Alto and failover to the secondary node.
If this is not easily done, then setting up vlans forthe upstream and downstream PA connections would be the best option. If your run the Palo Alto in active/passive mode you won't need to worry about STP as the passive node interfaces won't pass traffic. But if you do run active/active then STP will need to be setup for all the links.
09-20-2015 11:30 PM - edited 09-20-2015 11:33 PM
Hey, nice to see a familliar name from Juniper forums too 🙂
The problem with the ASA's is lets say upstream interface was to go down, the ASA would not reflect that on all other interfaces, but would keep them up but failover. In this case if we have our Palo's running active passive they would not be aware of the failover between ASA's. As a result, the passive Palo will be receiving the traffic. Active active works fine in this scenario, but not fulfilling a requirement of active / passive.
Hence please tell me what you think of this:
ASA's connected to a switch stack, configured access ports in one single VLAN, and likewise Palo Alto's in this VLAN. Then downstream Palo's straight in to Nexus 5K's. I won't have to worry about STP for this scenario.
In my mind this works, but obviously want your opinions too.
Thank you
Bilal
09-21-2015 10:13 AM
The PAN can perform path monitoring, so if it see's that iot cannot reach an IP upstream of the ASA, it would also failover.
09-21-2015 11:46 AM
even when using vwire?
09-21-2015 11:59 AM
While i have never setup path monitoring for a vwire, there is an option to do so.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
