In the case of PA, it is not possible to configure Active/Standby for each vsys. In many vsys architectures where there are hundreds of vsys, is Active/Active more desirable?
top of page
All things Palo Alto Networks
Forum: Forum
bottom of page
All things Palo Alto Networks
Thank you very much and I agree that it is true that failures rarely spill over and should be designed to prevent such problems from occurring.
People often tell me that Cisco could have done it. That said, Active/Active still seems like over the top as you say.
in and by itself i'd say no.
if a general network issue is severe enough to impact one vsys it will impact all vsys and the entire chassis should fail over to the secondary node
the nuance is how the vsys correlate to your network, surrounding the firewall.
only if you go into the periphery where, for example, each vsys has it's own upstream ISP or router as you mention, and only one uplink fails, it will be beneficial to 'float' the uplink to the A/A peer for that one tennant rather than failing over the whole chassis for all tennants
if on the other hand all your vsys use the same infrastructure (same routers and switches, different vlan) network errors will have a global impact and A/P will be the best solution
I agree that having a lot of vm-50 with Panorama would simplify everything tremendously (but there is a cost associated with that)
I have several A/A clusters deployed for dynamic routing purposes and if I were not dependent on an external party to dictate routing (bgp) and connectivity (vlan stretching between DataCenters) i would most likely switch to AP or individual VMs
There's much more complexity when troubleshooting, and when different teams configure/troubleshoot/maintain the same system it becomes easy to make mistakes or waste time looking in the rong place
The question is not about resource efficiency, is it possible that not being able to change Active/Standby on a per vsys basis makes it more prone to 'networking' issues? If the answer is yes, then shouldn't it be designed to be Active/Active? This is what I mean. If there is an administrator or oncoming router for each vsys, then path monitoring should be done for each vsys. However, this will result in Active/Standby failover on all vsys, as an issue that occurs on one vsys will spill over to the whole. If there are hundreds of vsys, this issue seems to be negligible. Given that, it looks like it would be better if it was designed in Active/Active. Well, to be honest, for this kind of case, I think it would be easier to use Panorama to manage the VM-50 in a parallel configuration without using vsys. However, considering the handling of hypervisor and VM-series licenses, and support for case openings, I think the PA-5260 with vsys is better. Do you have a similar experience?
even with hundreds of vsys A/A is not a more desirable config as it does not add more resources, only more complexity. A/A should be considered for 'networking' issues (geo location, asymmetry, dynamic routing,..) and not for scalability
HA is a chassis operation so in an A/P config the passive device is in a dormant but ready state. vsys live on top of that so will all be active on the Active unit