- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-31-2023 01:34 AM
Hello Everyone,
Im trying to find a Palo KB that talks about recommended/best practise when setting up Palo HA with LACP to a stack switch (e.g. Cisco stack).
Can anyone guide me on this ?
For some background, we are weighing the Pros and Cons for:-
option 1) to create one single lacp (eg 4 interface member) on the stack switch, but 2 interface goes to active fw and the other to the standby firewall. making a note that the switchports going to standy fw are set to be down to prevent traffic being forwarded via the standby fw.
option 2) create 2 lacp on the switch stack, where one lacp goes to active fw and another/different lacp goes to the standby fw.
Appreciate your feedback. Thanks !
05-31-2023 05:21 AM
Hi @adm2tech ,
I am curios how do you plan to achieve option 1? How do you plan to set interface to standby FW down and enable them in case of failover?
From personal experiance I would recommend to use second approach - two LACP to each FW member.
This will allow benefit from couple of feature that PAN provide you for faster failover:
- Keeping the physical interface on secondary device in up state while in passive mode (Configurable under HA settings)
- Enable LACP in passive mode - allow standby member to establish LACP and maintain it established even in passive mode (configurable under AE interface)
The following KB mentioned the above config as best practise - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5ZCAS (briefly at the bottom of the page)
05-31-2023 07:56 AM
Hello Aleksandar,
Thanks for the feedback. Appreciate it !!
For option 1, apologies if i wasnt very clear. So the switch ports towards the standby palo will be showing as operationally down (administrively up) because the Passive Palo interfaces are down (which is configurable to behave the opposite which you already pointed out).
So in case of a fw failover, the previous passive firewall which had the down interfaces will transition the interface state to up. Thus on the switchport (2 out of 4 members of the same port channel) will transition to interface up as well.
Technically, option 1 may seem to work but it doesnt have those advantages you pointed out on option 2.
Having said that, not sure what other downside that option 1 may bring.
Thoughts ?
Thanks again
05-31-2023 12:56 PM
Hey @adm2tech ,
Transitioning from down to up state for the interface is big disadvantage, especially with LACP. First you need to wait for the physical layer consider interface connected and then wait for the LACP to negotiate.
I personally have always used auto for secondary member interface status when deploying HA and really haven't had a use case to require or to benefit from shutting down interfaces on passive member.
I cannot think of any other downside for option 1, but I don't see any benefit from it either.
06-01-2023 10:10 AM
Hello,
I have moved on from this type of configuration as it seems to burn up switch ports and not really provide its intended use as well as potentially creating further issues. Also my core switches are not stacked so it can cause routing issues with multiple legs.
Just my thoughts.
06-04-2023 06:23 PM
Hello @OtakarKlier ,
Thanks for sharing your thoughts along with the diagram which helps me visualize.
And from the situation/setup I've presented initially, would you have preferred option 2 than option 1 ?
06-06-2023 08:31 AM
Hello,
I would go with opention2, lacp from each switch to each PAN.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!