Question about Active/Active HA with Layer 2 Interfaces

Reply
Highlighted
L1 Bithead

Question about Active/Active HA with Layer 2 Interfaces

Hello,

 

I have read the Administrator's Guide and the Use Cases for Active/Active HA but just wanted to get some confirmation that I am understanding the requirements correctly. We have two identical Palo Alto firewalls that we want to setup HA with. We will be configuring a Layer 2 Aggregate Interface with subinterfaces and then connecting it to a Cisco switch. With this setup in mind, are we able to use Active/Active HA? I remember reading at one point that an Active/Active HA setup requires Layer 3 interfaces but I'm not 100% sure.

 

Thanks!


Accepted Solutions
Highlighted
Cyber Elite

@ballen317,

Active/Active is only supported in TAP and Layer3 deployments. Active/Active configurations on PA gear isn't as simple and clear-cut as on your ASA, not by far. You would really need to design how you would actually implement this and I can guarantee your deployment would change quite a bit. 

 

The reason we say not to use Active/Active is that it really doesn't provide a performance increase applicable to the increased costs and complexity. Asynchronous routing is your exception to the rule here, and the other use-cases where Active/Active would be called for are far and few between, and generally instances where you would be told to do so by your SE or IE (Sales Engineer or Integration Engineer). 

Realistically where the ASA you saw a large performance gain for running Active/Active, you don't get that performance gains on a Layer7 aware NGFW. Max, you'll see a throughput increase of 20%. Any more than that and you've oversubscribed traffic if a failover did occur and you've lost all benefit of deploying Active/Active anyway. 

View solution in original post


All Replies
Highlighted
Cyber Elite

@ballen317,

If you're using Layer2 interfaces there should be no reason to utilize Active/Active HA. Why are you attempting to use Active/Active in this deployment? 

Highlighted
L1 Bithead

@BPry,

 

We have another network we are supporting that is configured with 2 active Cisco ASA firewalls in a HA cluster setup using Layer 2 interfaces (https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config...). I was trying to see if we can deploy a similar setup with the 2 Palo Alto firewalls we have in this network. The end goal is to achieve increased throughput and redundancy.

 

So is an Active/Active HA with Layer 2 interfaces allowed but not recommended? If so, what are the reasons that it is not a recommended deployment?

 

Thanks!

Highlighted
Cyber Elite

@ballen317,

Active/Active is only supported in TAP and Layer3 deployments. Active/Active configurations on PA gear isn't as simple and clear-cut as on your ASA, not by far. You would really need to design how you would actually implement this and I can guarantee your deployment would change quite a bit. 

 

The reason we say not to use Active/Active is that it really doesn't provide a performance increase applicable to the increased costs and complexity. Asynchronous routing is your exception to the rule here, and the other use-cases where Active/Active would be called for are far and few between, and generally instances where you would be told to do so by your SE or IE (Sales Engineer or Integration Engineer). 

Realistically where the ASA you saw a large performance gain for running Active/Active, you don't get that performance gains on a Layer7 aware NGFW. Max, you'll see a throughput increase of 20%. Any more than that and you've oversubscribed traffic if a failover did occur and you've lost all benefit of deploying Active/Active anyway. 

View solution in original post

Highlighted
L1 Bithead

@BPry,

 

Thank you for your detailed response. That helps out a lot. We are not looking to change our deployment to a Layer 3 setup and since a Layer 2 deployment is not supported, that eliminates the need for our team to even consider Active/Active.

Highlighted

This is incorrect. Active/active is only supported in v-wire and layer3. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!