HA3 Link Connectivity Through a Layer 2 Switch?
Yes, the HA3 interface on an HA (High Availability) Active - Active setup can be connected through a Layer 2 switch between the HA pair. However, a switch supporting jumbo frame is required.
Note: Jumbo frame support does not explicitly need to be enabled on the Palo Alto Networks firewall, as the HA3 interface supports jumbo frames independently of the system configuration.
In a High Availability (HA) configuration, HA3 uses L2 between the firewalls. The firewall will add 18 bytes to the frame. Without support for jumbo frames, network traffic with frame size over 1514 may get dropped by the switch and the traffic will fail.
The 18 bytes that make up the total extra overhead consist of:
- 6 bytes for the dest mac of the peer HA3 port
- 6 bytes for the src mac of HA3 port
- 2 bytes for the protocol number
- 4 bytes for an essential private field