Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Active/Passive connection with Cisco Stack switches

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Active/Passive connection with Cisco Stack switches

L1 Bithead

Hello

 

I would like to have confirmation. I need to connect my Palo Alto cluster firewall (active/passive) to a Cisco stack (with 2 members). 

If I want a fully redundancy, I need to create, on a each firewall, an aggregate with 2 interfaces and each interface is connected on a port on each Cisco member ? Are you agree with my schema bellow ? 

 

JeromeC_0-1661760904358.png

BR

Jerome

5 REPLIES 5

Cyber Elite
Cyber Elite

Hello @JeromeC

 

this connection design is functional. Cisco switches in stack act like a single switch, so on switch side it is cross stack ether channel and Palo Alto Firewall will see its AE as if it is connected to a single switch.

 

Kind Regards

Pavel

 

Help the community: Like helpful comments and mark solutions.

Hello

I'm not sure to understand. It's not necessary to have one physical connection from active FW to each Cisco member to keep the communication up even if the Cisco member where the phiscal cable is connected is down ? Even in this case, the communication between firewall and equipments connected on the stack will continue to be OK ?

 

BR

Cyber Elite
Cyber Elite

Hello,

Yes this should work for you. Just could cause a delay in failing over since the MAC of the Firewall changes but the IP doesnt.

Regards,

L3 Networker

Yes, I have used this topology frequently when setting up new firewalls. On the firewall you will want to set up a link monitoring group and set failover to happen only when both links to the switches fail.

Hi, thanks for the info
So if I have A/P palo alto setup. each firewall with single down connection to core switch cluster. do I need a link monitoring group or a port channel from each firewall to each core switch for that or a single link would do since AP firewall and core switches are acting as one>?

  • 3466 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!