PANOS HA A/A; catch east/west traffic of multiple vlans

Reply
L3 Networker

PANOS HA A/A; catch east/west traffic of multiple vlans

Hi community,

See attached visio.

And supplied notes.

 

There is no reason this won't work ?

 

The reason for this is to,

- Capture east/west 'inter-vlan' traffic that would normally be routed by L3 switch carrying SVIs, aka move the 'SVIs' up to the PAN.  But that can't be done by a standard .1q trunk on an A/A setup, because A/A will not support L2 interfaces.  So these L3 legs are created between switch and PAN.

- Floating IP with the 'bound to a/p' for manual preference of active during fail event (https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/high-availability/use-case-configure...)

- Routing on switch side (wide mask to catch all vlans) to send next hop to floating IP on PAN

- Want PAN to receive traffic of L3 interface -> send through packet flow/processing -> and egress it out one of the two L3 interfaces bound back to switch/aka probably the same interface really.... with a similar route (wide mask), back to L3 IP address end of switch.

(Question - One interface is on A/A member, one on the other.  Anything I have to accommodate here ?.. i.e. would normally need routing to preference a leg.. floating static or dynamic (OSPF)) with a similar route (wide mask)

 

I get inter-vlan processing on PAN without needing to 'router on a stick' .1q backhaul all SVIs to PAN and maintain A/A.

That's the goal.

 

Thoughts ?

PAN deployment.png


Accepted Solutions
L7 Applicator

Why is the deployment A/A? if there is no assymmetry, A/A has no real added value and on A/P you can easily use L2 interfaces (and you won't need the HA3 link)

 

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374

View solution in original post


All Replies
L7 Applicator

Why is the deployment A/A? if there is no assymmetry, A/A has no real added value and on A/P you can easily use L2 interfaces (and you won't need the HA3 link)

 

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374

View solution in original post

L3 Networker

Done. A/P it is. :)

Thanks for the insights.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!