07-20-2019 09:45 AM
I have two Palo Alto 5250s running in my core network as a core firewall for all campus and datacetner traffic. They are running active/active. I have layer 3 routing south bound to two cat9500s not in VSS. So I am running HSRP on each 9500 alternating vlans to utilize them both. All 4 units are running OSPF to advertise loopbacks and iBGP is used to carry routes. The 9500s are setup for ECMP and so are the Palo Altos. I feel like there is some weird traffic issues with this, Should the Palo Altos even be setup with ECMP? If so should I be using the symetrical return option? Would having ECMP on the Cat9500s be enough to achieve load sharing/balancing over each layer 3 link to each Palo Alto? Each cat 9500 has a layer 3 link to each Palo Alto. And yes before people tell me Active/Active is not a good idea I cant see why not when my network is symetrical.
