Palo Alto Redundant interface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Palo Alto Redundant interface

L2 Linker

Hi Guys,

 

i want to connect the Palo Alto in a cross connection to switches. In cisco there is something as Redundant interfaces (link http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/intrface.html#wp...

 

is something which like this feasible in PA firewall or something a solution for this scenario.

 

As per my understanding this has to be layer two interfaces  in both the ports for e1/4.XX and e1/5.XX and this mapped to VLAN SVI for XX ? but this will have a longer convergence time incase of the failover scenario.

 

connectivity.jpg

5 REPLIES 5

Cyber Elite
Cyber Elite

Hello,

I know that the newer OS allows for LAG, howeer I am not sure that is what you are looking for. I also foudn this, https://live.paloaltonetworks.com/t5/Discussions/Active-Pasive-HA-with-LAG-to-Virtual-Chassis-Droppe... I have also done this in the past but with my topology currently it creates too many layer 2 loops and throws spanning tree into a frenzy (so it doesnt work for me, but can work for you). Convergence times are what they are, I know that the better way would be to not use spanning tree (hard to tell if you are trying it this way) and go all out and use a layer 3 routing protocol.

 

Additional questions:

Are all the devices depicted under your administration, e.g. not an ISP?

Are the switches stacked?

 

Regards,

Hi,

this connects to ISP routers and i have a default route towards my hsrp vip of the router.

 

My worry is the failover scenario's and we want to have a redundant path to the secondary switch on top right. 

 

All the ports between PA and switch will be layer 2 interfaces so if we can have a redundant port solution that will be helpful.

 

Switch are not stacked they two seperate switches connected through trunk port.

If the switches are yours, then what I ahve done in the past is remove the secondary links you have, i.e. one link from each PAN to each switch. The trunk should allow a 'dog leg' to the router that is operational. I know in the past i ran into layer 2 issues and it didnt improve my situation but having the extra links. There are otherse that may have another opion and I do welcome them.

 

 Capture.JPG

Hi,

 

Yeah totally agree as fortinet/cisco has concept of redundant interfaces which solve this kind of connectivity and we dont have the same in PA so replacing those devices which straight through connectivity to one switch is just customer looks for multi device fail scenario's. Hence having multi-device scenario like PA secondary is dont for some reason and one switch which is connected to PA-Primary fails then the whole network is down. (thinking as devil as worst worst scenario i know its wont be this way but just worst come)

 

If we have a second link from PA primary to Secondary switch we will have a back up path and there is one more path hence network wont be down.

 

So we need to think over fail over and its resilency that whole network shouldnt be down at a given time.

Hello,

I think with path monitoring you wouldnt need those extra 'legs'. That way if an ISP router bites the dust, path monitoring will make sure you dont lose connections upstream.

 

Thats what I do, just one opinion, saves on ports if that is an issue as well.

 

Regards,

  • 6909 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!