Greetings Evereyone, I need some ideas / suggestions / thoughts on: For reference, I just attached a hand drawn network diagram. Just to provide a brief description, I have a network scenario that presently uses HSRP to maintain Active/Passive configuration on the border Cisco FWSMs firewalls. I will be replacing these FWSMs with Palo Altos in HA. The ‘Inside’ subnet uses the subnet address 1.2.1.0/24 (on vlan 118) and there are layer 3 interfaces on A and B and the two Cisco FWSM’s (which are hosted by A and B), although only B and A participate in HSRP to provide the active interface. As the only link between B and A (1/3 on each) carries the vlans used for the wireless network and none of the firewall vlans, then the HSRP communication for the ‘Inside’ subnet is being achieved through the Cisco FWSM’s. Referring back to the diagram, there is a link between D and C (which host the FWSM’s) that carries all the firewall vlans including vlan 118 on the inside subnet. This means that should there be a loss of either B or A, the remaining device will take the active address (1.2.1.1) and traffic from inside will continue to be forwarded to the gateway of last resort on the active FWSM (1.2.1.4) Similarly, from the diagram, HSRP is used on the ‘Outside’ subnet (3.2.4.0/24) with the active interface shared between the two border routers. There is no link between the two border routers. Hence any HSRP communication between these two routers passes through the FWSMs in D anc C. My concern is, can this be achieved in Active/Passive configuration on the Palo Altos? Will the PA’s be able to maintain these ‘floating’ addresses if we move from HSRP to VRRP? Any thoughts, suggestions, ideas on how I can achieve the same level of resilience using a shared address with the Palo Altos would be appreciated. Many Thanks Kind Regards, Kalyan
... View more