Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Poor Man's HA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Poor Man's HA

Not applicable

Greetings,

We have a single PA-500 which we will be putting guest (non-critical) internet traffic behind.  Currntly it is patched in as such:

eth1/1: L3 - Trusted

eth1/2: L3 - Untrusted

Is there anyway to leverage HA between interfaces on the same device?  Reason being is if one of the up-stream switches fails, I'd like to not have to physically move cables to keep traffic "up".  For example, for redundancy purposes, we have two access switches that I could plug into on the Untrusted side - right now I'm only using one.

Hope that makes sense...

Thanks!

Message was edited by: msoldner

4 REPLIES 4

L3 Networker

I think Policy-Based Forwarding will do what you are looking for.

One thing to keep in mind in case of PBF you will be able to monitor a layer 3 address. So to detect the switch failure you might have to monitor a layer 3 address on the switch. Hope that helps. 

Not applicable

Can you use PBF with multiple interfaces on the same subnet?

EDIT:  To be more specific.

We have a single PA which both upstream and downstream have dual (redundand) access switches. I currently have a single uplink to one of the switches on both sides.  I'd like to have some redundancy so that if one of the two access switches dies, the PA can re-route traffic.  However, if I'm unable to put the interfaces on each side in separate subnets, is that possible?

So can I do the following:

Trusted:

e1/1 - 192.168.1.1 /24  > access switch 1

e1/2 - 192.168.1.2 /24 >  access switch 2

Untrusted:

e1/3 - 192.168.2.1 /24 > access switch 1

e1/4 - 192.168.2.2/24 > access switch 2

I'd like to have e1/1 and e1/3 track the ip on each of the access switches they are plugged into and if that heartbeat goes away, it will fail over to the other link.

Thanks.

Message was edited by: msoldner

Hello

You still have single point of failure i.e. single unit.
The above setup will provide reduandancy with switch ports going down.
Policy based forwarding can be an option but would lead to several complications in this case.


We do not support equal cost multi path routing. Hence unit will not allow commit the configuration with overlapping subnets/IPs to the interfaces.

Hope this helps.

  • 2495 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!