This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Poor Man's HA

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Poor Man's HA

mrsold
Not applicable

‎05-31-2011 12:09 PM

Greetings,

We have a single PA-500 which we will be putting guest (non-critical) internet traffic behind.  Currntly it is patched in as such:

eth1/1: L3 - Trusted

eth1/2: L3 - Untrusted

Is there anyway to leverage HA between interfaces on the same device?  Reason being is if one of the up-stream switches fails, I'd like to not have to physically move cables to keep traffic "up".  For example, for redundancy purposes, we have two access switches that I could plug into on the Untrusted side - right now I'm only using one.

Hope that makes sense...

Thanks!

Message was edited by: msoldner

0 Likes Likes
4 REPLIES 4

KGC
L3 Networker

‎05-31-2011 12:19 PM

I think Policy-Based Forwarding will do what you are looking for.

0 Likes Likes

mrajdev
L4 Transporter
In response to KGC

‎05-31-2011 04:53 PM

One thing to keep in mind in case of PBF you will be able to monitor a layer 3 address. So to detect the switch failure you might have to monitor a layer 3 address on the switch. Hope that helps. 

0 Likes Likes

mrsold
Not applicable

‎08-09-2011 06:45 AM

Can you use PBF with multiple interfaces on the same subnet?

EDIT:  To be more specific.

We have a single PA which both upstream and downstream have dual (redundand) access switches. I currently have a single uplink to one of the switches on both sides.  I'd like to have some redundancy so that if one of the two access switches dies, the PA can re-route traffic.  However, if I'm unable to put the interfaces on each side in separate subnets, is that possible?

So can I do the following:

Trusted:

e1/1 - 192.168.1.1 /24  > access switch 1

e1/2 - 192.168.1.2 /24 >  access switch 2

Untrusted:

e1/3 - 192.168.2.1 /24 > access switch 1

e1/4 - 192.168.2.2/24 > access switch 2

I'd like to have e1/1 and e1/3 track the ip on each of the access switches they are plugged into and if that heartbeat goes away, it will fail over to the other link.

Thanks.

Message was edited by: msoldner

0 Likes Likes

ukhapre
L3 Networker
In response to mrsold

‎08-18-2011 04:25 PM

Hello

You still have single point of failure i.e. single unit.
The above setup will provide reduandancy with switch ports going down.
Policy based forwarding can be an option but would lead to several complications in this case.


We do not support equal cost multi path routing. Hence unit will not allow commit the configuration with overlapping subnets/IPs to the interfaces.

Hope this helps.

0 Likes Likes
  • 2517 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks