cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9012
Views
5
Helpful
5
Replies

LACP configuration between Catalyst switch and PaloAlto Active-standby Firewalls

Rupesh1
Level 1
Level 1

We want to connect two PaloAlto Firewalls (Active-standby pair) to our Catalyst Core Switch. Each firewall's two port will be connecting to Catalyst Core switch.

 

Can we Bundle all these 4 port (2 from each Firewall) in single port channel. Note: At any given time only one Firewall will be active and other will be standby ?

 

My concern is if we bundle all 4 ports in single port-channel Cisco Catalyst Core switch may decide to send traffic to ports connected to Standby Firewall as per its load balancing algorithm. But I am not sure whether Core switch will ever be sending this traffic on ports connected to Standby firewall or not because switch will be talking to Virtual IP address of Palo Alto FW which always be with active unit.

 

Can someone help me to understand How Cisco Port-channel will be behaving in this case?

5 Replies 5

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

 

Are the core switches in VSS mode or standalone?

What type of switches are they?

The Portchannel will distribute traffic based on the hashing algorithm configured and sends the traffic through multiple physical links.

Have a look at this link for more info:

 

https://www.cisco.com/c/en/us/support/docs/lan-switching/etherchannel/12023-4.html

 

HTH

Core is standalone switch.

So, in that case, you can simply use one physical link from each switch to each firewall. If you are using HSRP, I would connect the active switch to the active firewall and the standby switch to the passive firewall.

 

HTH

Core switch is standalone 4500 series switches and also 9300,9500 stacked
together. We don't have vss.

As per the document default load balancing algorithm is destination based
mac address. So in my case it will be mac address of virtual IP address of
firewall which will be with active firewall, so is it safe assume that
even if I bundle ports of active and standby firewall together, cisco
switch will never send the traffic to standby firewall (because
destination mac address is fix and with active firewall) but instead it
will send it on active firewall ports?

Yes, that should work as long as the active HSRP switch is pointing to the active firewall and the passive HSRP switch to the standby firewall.

Even for whatever reason the traffic goes to the standby firewall, it will forward to the active firewall for processing.

Spoiler
 

HTH 

Review Cisco Networking for a $25 gift card