Palo Alto Networks Knowledgebase: HA3 Link Connectivity Through a Layer 2 Switch?

HA3 Link Connectivity Through a Layer 2 Switch?

4566
Created On 02/08/19 08:53 AM - Last Updated 02/20/19 19:28 PM
Mobile Network Infrastructure
Resolution

Overview

Yes, the HA3 interface on an HA (High Availability) Active - Active setup can be connected through a Layer 2 switch between the HA pair. However, a switch supporting jumbo frame is required.

Note: Jumbo frame support does not explicitly need to be enabled on the Palo Alto Networks firewall, as the HA3 interface supports jumbo frames independently of the system configuration.

Details

In a High Availability (HA) configuration, HA3 uses L2 between the firewalls. The firewall will add 18 bytes to the frame. Without support for jumbo frames, network traffic with frame size over 1514 may get dropped by the switch and the traffic will fail.

The 18 bytes that make up the total extra overhead consist of:

  • 6 bytes for the dest mac of the peer HA3 port
  • 6 bytes for the src mac of HA3 port
  • 2 bytes for the protocol number
  • 4 bytes for an essential private field

owner: ppatel



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKdCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language