I have a L3 deployment, and I need to support a link fail, Aggregate interface is not a solutions since QoS is not supported in aggregate interfaces, the firewall will be connected to the switch core but STP dont work in PA firewall. How can I get a redundant link maybe in physical layer with support for QoS?
thanks in advance
Even if PA on itself doesnt (yet?) support STP (spanning tree) - shouldnt a L2 interface still forward the STP-packets?
I mean if you setup int1 and int2 as L2 (on the PA), connect a vlan-interface to int1 and int2 (within PA) - then the switch which is connected in the other end (running STP) should be able to disable the interface who is causing the loop?
This is correct. I've had a chance to try this in the lab and it works well. In order to do this you'll need to use ports in Layer2 mode, and then use a VLAN interface for your routing. Physically, you'll be creating a loop in the network, but the switch(es) connecting into the Palo Alto Networks firewall will be running STP, and will prevent the loop from occuring.
Failover isn't the quickest @ 30-seconds, but it does work well.
See this thread:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!