Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9010
Views
5
Helpful
5
Replies

LACP configuration between Catalyst switch and PaloAlto Active-standby Firewalls

Rupesh1
Level 1
Level 1

‎12-16-2020 07:17 AM

We want to connect two PaloAlto Firewalls (Active-standby pair) to our Catalyst Core Switch. Each firewall's two port will be connecting to Catalyst Core switch.

 

Can we Bundle all these 4 port (2 from each Firewall) in single port channel. Note: At any given time only one Firewall will be active and other will be standby ?

 

My concern is if we bundle all 4 ports in single port-channel Cisco Catalyst Core switch may decide to send traffic to ports connected to Standby Firewall as per its load balancing algorithm. But I am not sure whether Core switch will ever be sending this traffic on ports connected to Standby firewall or not because switch will be talking to Virtual IP address of Palo Alto FW which always be with active unit.

 

Can someone help me to understand How Cisco Port-channel will be behaving in this case?

Labels:
0 Helpful
5 Replies 5

Reza Sharifi
Hall of Fame
Hall of Fame

‎12-16-2020 07:53 AM

Hi,

 

Are the core switches in VSS mode or standalone?

What type of switches are they?

The Portchannel will distribute traffic based on the hashing algorithm configured and sends the traffic through multiple physical links.

Have a look at this link for more info:

 

https://www.cisco.com/c/en/us/support/docs/lan-switching/etherchannel/12023-4.html

 

HTH

0 Helpful

Rupesh1
Level 1
Level 1
In response to Reza Sharifi

‎12-16-2020 11:56 AM

Core is standalone switch.
0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to Rupesh1

‎12-16-2020 12:08 PM

So, in that case, you can simply use one physical link from each switch to each firewall. If you are using HSRP, I would connect the active switch to the active firewall and the standby switch to the passive firewall.

 

HTH

0 Helpful

Rupesh1
Level 1
Level 1
In response to Reza Sharifi

‎12-16-2020 12:18 PM

Core switch is standalone 4500 series switches and also 9300,9500 stacked
together. We don't have vss.

As per the document default load balancing algorithm is destination based
mac address. So in my case it will be mac address of virtual IP address of
firewall which will be with active firewall, so is it safe assume that
even if I bundle ports of active and standby firewall together, cisco
switch will never send the traffic to standby firewall (because
destination mac address is fix and with active firewall) but instead it
will send it on active firewall ports?

Reza Sharifi
Hall of Fame
Hall of Fame
In response to Rupesh1

‎12-16-2020 12:41 PM

Yes, that should work as long as the active HSRP switch is pointing to the active firewall and the passive HSRP switch to the standby firewall.

Even for whatever reason the traffic goes to the standby firewall, it will forward to the active firewall for processing.

Spoiler
 

HTH 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card