topic vm palo question on interfaces for esxi in General Topics

vm palo question on interfaces for esxi

geewiss — Tue, 30 Nov 2021 14:40:58 GMT

We have an exisiting vmware esxi environment that has 3 hosts with distributed switches configured.

Currently, each esxi host has 4 links (all trunks) going to the physical uplink switch.

We've installed a VM palo series firewall and have established managment connectivity to it via eth1/0 with no issues.

Now we are configuring sub interfaces on the vm palo and will point the vm's to it as their gateways. I think this part is working.

Where our issue is happening is on the uplink from the vm palo to the physical switch. I'm confused how this works as all the uplinks are trunks and I need to have the connection from the physical switch to the palo vm as a L3 link.

Could someone break this down for me? Does the questione even make sense?

More info

I have a SVI on the physical Cisco switch. 10.1.1.1/24

I configured eth1/1 on the vm palo as a L3 link as 10.1.1.2/24

I have sub interfaces 10.1.80.1/24 (vlan 80) and 10.1.90.1/24 (vlan90) created off of eth1/2 of the VM Palo and they will be gateways for the virtual machines.

The palo virtual router is set with a default router of 10.1.1.1 to the physical switch.

Honestly without any routing, I would think that I should be able to ping from the physical switch to the 10.1.1.2 as it should be directly connected but that's not working even with the management profile applied.

So confused!

Thanks in advance!!

Re: vm palo question on interfaces for esxi

geewiss — Fri, 26 Nov 2021 22:39:28 GMT

BTW, I do not have a license installed yet. Could that be the issue?

Re: vm palo question on interfaces for esxi

geewiss — Tue, 30 Nov 2021 14:13:51 GMT

Thought I'd try to draw this out. Attached is what I've come up with. Please let me know what you think and how off I am. Any/all feedback welcomed. Thank you!

Re: vm palo question on interfaces for esxi

SutareMayur — Tue, 30 Nov 2021 14:36:43 GMT

Hi @geewiss ,

I will ask you to verify below points.

1. Make sure the proper VLAN mapping (VLAN for subnet 10.1.1.0/24) is done on esxi side for the Palo Alto VM eth1/1 nic. If its not then you need to fix it.

2. Also you need to make sure VLAN for subnet 10.1.1.0/24 is flowed till the esxi. You need to verify your esxi physical connectivity and check if VLAN for subnet 10.1.1.0/24 is available.

Also in the attached diagram, I see you have configured VLAN20 for the palo alto eth1/1 but as per information given, VLAN 20 belongs to 10.1.20.1/24. So in this case, subnet 10.1.1.0/24 should have different vlan id. You need to verify this.

Re: vm palo question on interfaces for esxi

geewiss — Tue, 30 Nov 2021 14:44:45 GMT

1. Proper vlan maping is done on the esxi side. I think i'm good there.

2. Vlan is flowed till the esxi. Should be good there.

I fixed the original post. Vlan 20 is only on the physical switch to the external vds. Vlan 80,90 are on the interal vds with different id's.

I guess my real question is .....will the physical links work like this were I have access port and trunk ports terminated to the physical from the external vds?

Thanks for your help and clarification!

Re: vm palo question on interfaces for esxi

geewiss — Tue, 30 Nov 2021 20:05:16 GMT

I'm wondering if anyone has ever done a setup like this? Does it even make sense? 🙂

Re: vm palo question on interfaces for esxi

d.spider — Wed, 01 Dec 2021 04:34:15 GMT

License shouldn’t be the issue here.

Re: vm palo question on interfaces for esxi

SutareMayur — Wed, 01 Dec 2021 14:21:20 GMT

Hi @geewiss ,

If any of the palo alto interface is configured as a L3 sub-interface, then you need to configure neighboring device interface as a trunk then you can flow specific vlan traffic via that trunk port. If Palo Alto interface is configured as normal L3 interface then keeping neighboring device interface in access port should work.

Re: vm palo question on interfaces for esxi

geewiss — Thu, 02 Dec 2021 21:40:13 GMT

UPDATE

The key here was to make all 4 physical links from the ESXi host to the physical switch as trunks. Then to have the e1/1 interface on the palo configured in a port group that is "vlan trunking". Then to have a sub interface on the palo with tagging the vlan number. This seem to work.