內(nèi)容課件說明pan-edu20561b mod9act

1、Active/Active High AvailabilityPAN-EDU-205PAN-OS 6.1Rev BAgendaActive-Passive HA OverviewActive/Active HA ConceptsActive/Active HA Deployment OptionsConfiguring Active/Active HA2Active/Passive HA OverviewHA1Active/Passive HA Overview If the Passive Device loses connection to the Active Device, it ca

2、nnot distinguish between a down peer device and a communication problemIf the Active Device loses connection to the Passive Device, the path and link monitoring will not be honored as the Active Device doesnt know that the peer will take overXHA24Active/Active HA ConceptsActive/Active HA Introductio

3、nDevices back each other, taking over primary ownership if the other one failsBoth devices in the cluster are:Actively processing and passing trafficLoad-sharing the trafficNo increase in session capacityNot designed to increase throughputVirtual wire and layer 3 modes onlyActive/Active6Link to pass

4、 packets between Session Owner and Session Setup devicesActive/Active HA LinksActive PathActive PathHA2HA1HA3Active-PrimaryActive-SecondaryData Plane link to Sync Active SessionsControl Plane link to Sync Configuration7Assigning Session Ownership for a New SessionPacket arrives at one of the devices

5、Receiving device has no session for the packet, and assumes ownership of the sessionComputed hash/modulo determines if the Session-Owner is responsible for the Session SetupSession Owner00101000101010010018Assigning Session Setup for a New SessionPacket arrives at one of the devicesReceiving device

6、has no session for the packet, and assumes ownership of the sessionComputed hash/modulo determines if Session Owner is responsible for Session SetupIf not, Session Owner forwards packet to peer device over HA3 linkSession is Setup and session info and packet are returned to Session OwnerSession Owne

7、r forwards packet out appropriate interface0010100010101001001Session OwnerSession Setup 9Packet Flow in an Established SessionPacket arrives at one of the devicesReceiving device has session for the packet and owns the sessionPacket is processed and sent out via the appropriate egress interface0010

8、100010101001001Session Owner10Asymmetric Flow in an Established Session Packet arrives at one of the devicesReceiving device has a session for the packet but it is owned by the peer deviceReceiving device forwards the packet over the HA3 link to the owner for processingOwner processes the packet Pac

9、ket is returned to receiver*Firewall forwards the packet out appropriate interface0010100010101001001Session Owner*Virtual Wire deployments only 11Active/Active HA Deployment OptionsDeployment Topologies OverviewIntranetThe design of the Active/Active HA deployment needs to address three main design

10、 considerations:Firewall addresses presented to the networksFirewall involvement in routing Achieving seamless failoverIntranetInternet 13Virtual Wire Deployment No IP or MAC address on the up and down linksOnly basic HA configuration requiredIntranetInternet 14Floating IP Deploymenteth1/1- 172.35.2

11、.252FIP-172.35.2.101HA1HA2HA3172.35.2.4GW: 172.35.2.101172.35.2.3GW: 172.35.2.100eth1/1- 172.35.2.253FIP-172.35.2.100 dev-id 0dev-id 1FIP-172.35.2.100XFloating IP addresses and virtual MAC addresses move between devices on failoverSupports VPN and NAT implementationsCan use external load balancers t

12、o spread traffic across devices15Device High Availability Active/Active ConfigFloating IP Configurationeth1/1- 172.35.2.252FIP-172.35.2.101HA1HA2HA3172.35.2.4GW: 172.35.2.101172.35.2.3GW: 172.35.2.100eth1/1- 172.35.2.253FIP-172.35.2.100 dev-id 0dev-id 1eth1/2- 10.1.1.253FIP-10.1.1.100 eth1/2- 10.1.1

13、.252FIP-10.1.1.101 16ARP Load-Sharing DeploymentA single IP address is shared between devicesUnique MAC address for each interface supporting the shared IP addressDevices respond to client ARP requests based on source IP addressRequires a Layer 2 connection deviceeth1/1- 172.35.2.25200:1B:17:00:AF:0

14、1HA1HA2HA3172.35.2.4GW: 172.35.2.101172.35.2.3GW: 172.35.2.101eth1/1- 172.35.2.25300:1B:17:00:8F:01dev-id 0dev-id 1172.35.2.101If a router were here, ARP Load-Sharing would not work. 17Combined Deploymenteth1/1- 172.35.2.25200:1B:17:00:AF:01HA1HA2HA3172.35.2.0/24GW: 172.35.2.101eth1/1- 172.35.2.2530

15、0:1B:17:00:8F:01dev-id 0dev-id 1172.35.2.101eth1/2- 10.1.1.253FIP-10.1.1.100 eth1/2- 10.1.1.252FIP-10.1.1.101 Floating IP address and ARP Load-Sharing deployments can be combined in a single implementationInternet 18Route Based Redundancy Deployment Leverages dynamic routing protocols for failover a

16、nd load balancingAll interfaces have unique, static IP address for use by the routing protocolVR sync must be disabled in the HA configuration/28/28/28/28BGP19Configuring Active/Active HADevice and Group IDUniquely identifies a Device within an HA ClusterDevice High Availability General Setup21Elect

17、ion SettingsDevice High Availability General Election SettingsDetermines primary and secondary devices mendedMust be enabled on both firewalls22HA1 Link ConfigurationDevice High Availability General Control Link (HA1)Only encrypts HA1 link info23HA2 Link ConfigurationDevice High Availability General

18、 Data Link (HA2)Required for stateful synchronization across HA2 link24HA3 InterfaceForwards packets for Session Setup and Layer 7 processingDevice High Availability Active/Active ConfigSynchronizes Zones, Routing, and VR configuration if enabledIf disabled, no virtual IP shared between firewalls25HA Virtual AddressesDevice High Availability Active/Active ConfigTwo Types Available26Active/Activ