Palo Alto Networks Knowledgebase: PAN-OS 7.1 L2 network protocol pre-negotiation for passive device

PAN-OS 7.1 L2 network protocol pre-negotiation for passive device

3922
Created On 07/18/19 19:26 PM - Last Updated 07/18/19 20:11 PM
Resolution

Customers with mission critical DCs require the ability to failover extremely quickly (sub 1 second) and have visibility of the passive firewall in A/P HA configurations when protocols such as LACP and LLDP are used.

 

This feature introduces a new option to allow the passive firewall to communicate with its neighboring device using specific L2 network protocols such as LACP and LLDP.

 

It will provide the ability to configure and allow pre-negotiation of the following network protocols on the DP interfaces:

  • LACP / LLDP are supported.
  • Passive member pre-negotiation must support L2, L3, Vwire interface modes.
  • Pre-negotiation is not supported on subinterfaces and tunnel interfaces.
  • Supported on PA-7000, PA-5000, and PA-3000 platforms.

 

For Vwire mode, 'pass-through mode' is also introduced for Ethernet.

  • Allow LACP and LLDP pre-negotiation (pass-through) to be enabled on Vwire Ethernet interfaces only.
  • This provides support for peer devices wanting to pre-negotiate LACP and LLDP through the passive firewall in Vwire mode.

In Vwire pass-through mode, LACP and LLDP must not be configured on the interfaces, as the peer devices will be negotiating these protocols through the Vwire.

  • In vwire mode, LACP is not supported. When enabling the feature, LACP 'pass through' the firewall.

In Vwire mode, LLDP has been supported since PAN-OS 7.0. While disabling LLDP and enabling the feature, LLDP 'pass through' the firewall.

  • LLDP pass-through in AE interfaces are not supported under Vwire mode (as AE interfaces cannot guarantee AE member 1:1 binding between ingress and egress interfaces, causing packets to come in one member and go out another member).

supported scenarios

Even for non-functional mode, the feature works.

  1. In an active-passive setup, suppose the passive device has a minor failure (such as a link monitoring failure), it will change to a non-functional state.
  2. Then if the active device has a major failure (such as DP restart) and becomes non-functional, then the peer device will move from non-functional to active state.

In this case, there is no intermediate passive state, but the feature is supported even in non-functional state. With the feature, L2 protocols are brought up faster when a device moves from non-functional to active state (that is, on failover).

 

Enable in HA Passive State

Enable in HA Passive State



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClG5CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language