This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

topology

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

topology

sib2017
L4 Transporter

‎01-27-2017 11:38 PM

Hi,

 

I have the below topology .

Planning to put  PA in vwire mode in betweent the asa and core in active standby.

If r1 fails and asa1 is active and asa2 is standby  ,asa2 will become active .

. Lets say pa1 is active and pa2 is standby .

When asa changes active standby order ,is it possible pa changes the same order as asa do .

 

Or what is the pros and cons in this design 

PA.png

 

 

Thanks

0 Likes Likes
8 REPLIES 8

Kashif.Kamal
L1 Bithead

‎01-28-2017 04:37 AM

Hi, 

 

   You can track the ASA-1 interfaces on PA-1, so when the ASA-1 failover it should shut down its interfaces connecting to PA-1 once the interfaces are down and you are tracking the Link monitoring in the PA-1. Then PA-1 will trigger the HA and if you have enabled the preempt on the PA-1 once the ASA-1 is back active the PA's will swap their roles.

 

 

0 Likes Likes

sib2017
L4 Transporter
In response to Kashif.Kamal

‎02-05-2017 12:48 AM

Hi,

Is there a good design  other than this 

Thanks

0 Likes Likes

RichColeman
L2 Linker
In response to sib2017

‎02-06-2017 05:52 AM

Apart from totally removing the ASA's, monitoring the path/link from the Palo's to ASA is about as good as it gets. Whats the business case for having the ASA's? if your just doing layer 1-4 on the ASA its pointless them being there.

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to RichColeman

‎02-06-2017 06:06 AM

you could create portchannels so the ASA's can fail over all they want without interfering with the Palo Alto Networks Firewall Cluster

 

portchannel2.png

with this design and the PANW in AP, one member of the aggregate will always be down and simply switch if one of the PANW were to fail, if the ASA fails, the second Aggregate will kick in (controlled by the switch and ASA) and the active PANW can remain active

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to reaper

‎02-06-2017 11:52 AM

I would follow the order that @reaper laid out; that would give you true redundancy and you don't at any one point in time have a single point of failure on your firewalls. The way that you are describing would work fine, but the thing to keep in mind is that while you technicially have a backup, you are counting on that PAN to funciton during the outage. If you lose that PAN for some reason at the same time you lost the router your network sounds like it's still going to go down. 

pulukas
L7 Applicator
In response to sib2017

‎02-08-2017 03:45 PM

Another option in this scenario is to make the PA cluster Active/Active instead of Active/Passive.  This way no matter what combination of device failures occur on either side you still have a traffic path with the PA devices.  and you don't need to track anything for failures.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes

sib2017
L4 Transporter
In response to reaper

‎02-09-2017 07:30 AM

Hi,

 

You mean the port channel between core and asa ?

It means  one of the link will go through PA1 and another link PA2 ( eg: red) 

 

Thanks

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to sib2017

‎02-09-2017 08:25 AM

yes that's right, that way if ASA1 fails, PA1 does not need to fail: the portchannel will smply switch to the second link

also if PA1 fails, ASA1 does not need to fail

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes
  • 3500 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks