This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

interface failover on PA500

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

interface failover on PA500

ctr_ts
L1 Bithead

‎07-13-2012 01:16 PM

Since link aggregation (LACP or etherchannel) is only supported on PA4000++ I want to build a simple interface-failover / interface-group setup (like any other enterprise firewall allows even on low-end devices).

group

To do this I would do the following:

1. change interface mode to Layer2 on both interfaces making up the interface-group

2. create a layer2 subinterface each (with same id and vlan tag)

3. associate both to the same vlan

4. enable L3 forwarding on the vlan

5. create an vlan interface and assign it the IP the firewall (on its interface-group) should have

6. connect each port to a different switch

7. enable STP (on switch)

8. cross fingers

(with 2. only required when this is a trunk with multiple vlans)

It seems to work but is something like this supported?

Labels:
0 Likes Likes
1 REPLY 1

jvalentine
L7 Applicator

‎07-23-2012 03:40 PM

Had a quick chance to try this out in the lab.  Here's what I did:

1.) Created new VLAN

2.) Created new VLAN interface (with L3-forwarding enabled)

3.) Placed new VLAN interface into appropriate security zone (L3-Trust in my configuration)

4.) Assigned new VLAN interface an IP Address (192.168.1.1/24 in my config)

5.) Configured 2 firewall ports as "Layer 2" and placed them into the newly created VLAN from step #1

Commit

On the switch side, I created a vlan in a Brocade switch with 3 access ports.  I also enabled spanning-tree in this VLAN.  Of the 3 ports, 2 go to the firewall and one to a test laptop. 

In this configuration, everything works fine!  It takes 30-45 seconds to fail over, and about 15s to fail back - which is expected for standard spanning-tree behavior.

I don't see why this wouldn't work using sub-interfaces and vlan tags as well.  Same concept.  Don't see why it wouldn't be supported either.  As long as you have some sort of loop prevention technology running, it's a perfectly valid network design.  It's not optimal, and you could probably get better failover and worry less about spanning-tree if you had a pair of firewalls using Active/Passive High Availability. 

0 Likes Likes
  • 3052 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks