Palo HA with LACP to Cisco Stack Switch

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Palo HA with LACP to Cisco Stack Switch

L1 Bithead

Hello Everyone,

 

Im trying to find a Palo KB that talks about recommended/best practise when setting up Palo HA with LACP to a stack switch (e.g. Cisco stack). 

 

Can anyone guide me on this ?

 

 

For some background, we are weighing the Pros and Cons for:-

option 1) to create one single lacp (eg 4 interface member) on the stack switch, but 2 interface goes to active fw and the other to the standby firewall. making a note that the switchports going to standy fw are set to be down to prevent traffic being forwarded via the standby fw.

 

option 2) create 2 lacp on the switch stack, where one lacp goes to active fw and another/different lacp goes to the standby fw.

 

Appreciate your feedback. Thanks !

 

 

7 REPLIES 7

Hi @adm2tech ,

I am curios how do you plan to achieve option 1? How do you plan to set interface to standby FW down and enable them in case of failover?

 

From personal experiance I would recommend to use second approach - two LACP to each FW member.

This will allow benefit from couple of feature that PAN provide you for faster failover:

- Keeping the physical interface on secondary device in up state while in passive mode (Configurable under HA  settings)

- Enable LACP in passive mode - allow standby member to establish LACP and maintain it established even in passive mode (configurable under AE interface)

 

The following KB mentioned the above config as best practise - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5ZCAS (briefly at the bottom of the page)

Hello Aleksandar,

 

Thanks for the feedback. Appreciate it !!

 

For option 1, apologies if i wasnt very clear. So the switch ports towards the standby palo will be showing as operationally down (administrively up) because the Passive Palo interfaces are down (which is configurable to behave the opposite which you already pointed out).

 

So in case of a fw failover, the previous passive firewall which had the down interfaces will transition the interface state to up. Thus on the switchport (2 out of 4 members of the same port channel) will transition to interface up as well.

 

Technically, option 1 may seem to work but it doesnt have those advantages you pointed out on option 2. 

 

Having said that, not sure what other downside that option 1 may bring.

 

Thoughts ? 

 

Thanks again

Hey @adm2tech ,

Transitioning from down to up state for the interface is big disadvantage, especially with LACP. First you need to wait for the physical layer consider interface connected and then wait for the LACP to negotiate.

 

I personally have always used auto for secondary member interface status when deploying HA and really haven't had a use case to require or to benefit from shutting down interfaces on passive member.

 

I cannot think of any other downside for option 1, but I don't see any benefit from it either.

Cyber Elite
Cyber Elite

Hello,

I have moved on from this type of configuration as it seems to burn up switch ports and not really provide its intended use as well as potentially creating further issues. Also my core switches are not stacked so it can cause routing issues with multiple legs.

OtakarKlier_0-1685639369610.png

Just my thoughts.

Hello @OtakarKlier ,

 

Thanks for sharing your thoughts along with the diagram which helps me visualize.

 

And from the situation/setup I've presented initially,  would you have preferred option 2 than option 1 ?

 

Cyber Elite
Cyber Elite

Hello,

I would go with opention2, lacp from each switch to each PAN.

Regards,

this is the only real way to configure LACP (by not really configuring it) when your switches are not stacked or not nexus, supporting LACP. I use this in several scenarios when the switches are lower-end models and "separate"

  • 5332 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!