https://live.paloaltonetworks.com/t5/general-topics/pa-vm-on-esxi-l2-topology-design-questions/m-p/15551#M11396 <HTML><HEAD></HEAD><BODY><P style="font-size: 13px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><SPAN style="font-weight: inherit; font-style: inherit; font-size: 10pt; font-family: inherit;">- Does the protected port group on the vSphere DSwitch have to be VLAN ID 8 as well, or can I just leave it as VLAN type "None"?</SPAN></P><P style="font-size: 13px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><SPAN style="font-weight: inherit; font-style: inherit; font-size: 10pt; font-family: inherit;">Both sides will be none in your case.&nbsp; You only need to set tags if you have a Q tag port.&nbsp; In your design these are access ports so none is all you need to do.</SPAN></P><P style="font-size: 13px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><SPAN style="font-weight: inherit; font-style: inherit; font-size: 10pt; font-family: inherit;"><BR /></SPAN></P><P style="font-size: 13px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">- Is there anything extra I need to do to ensure that the HA pair will never accidentally create a loop between the two segments of the same network?</P><P style="font-size: 13px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">No, the passive device keeps the traffic interfaces up but never passing traffic.&nbsp; The PA will not participate in STP at all so all you need to do is make sure the switching system never puts the active device into a blocking port.</P><P style="font-size: 13px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"></P><P style="font-size: 13px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">- Are there any other considerations I need to know about in a deployment like this?</P><P style="font-size: 13px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">I have not used the VMs for HA but I assume you still need the HA ports connected to communicate state tables and the like.&nbsp; I don't see that in your setup here.</P><P></P><P>your may find the example for layer 2 HA in the Design guide helpful starting on page 80</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-2561">Designing Networks with Palo Alto Networks Firewalls</A></P></BODY></HTML> Tue, 14 Jul 2015 12:10:57 GMT pulukas 2015-07-14T12:10:57Z https://live.paloaltonetworks.com/t5/general-topics/pa-vm-on-esxi-l2-topology-design-questions/m-p/15550#M11395 <HTML><HEAD></HEAD><BODY><P>I'm looking to deploy a pair of PA-VM 200s running 7.x on a vSphere 5.5 cluster and would like a sanity check on the design.</P><P></P><P>My client's network currently has one large VLAN that houses most of their servers.&nbsp; For the sake of this example, we'll say it's VLAN 8.&nbsp; There are servers on this network with varying degrees of importance, but among them are things like domain controllers and file servers.&nbsp; To increase security, we're looking to deploy an active/passive HA pair of PA-VM 200s running 7.x (for the real HA capabilities) in L2 mode so that we can move some of the more important VMs behind them and not have to renumber.&nbsp; <SPAN style="font-size: 10pt; line-height: 1.5em;">I'm assuming that the ethernet1/2 interfaces will also need to be assigned to VLAN 8 on the PA-VMs so that it knows to bridge the traffic.</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">- Does the protected port group on the vSphere DSwitch have to be VLAN ID 8 as well, or can I just leave it as VLAN type "None"?<BR /></SPAN></P><P>- Is there anything extra I need to do to ensure that the HA pair will never accidentally create a loop between the two segments of the same network?</P><P>- Are there any other considerations I need to know about in a deployment like this?</P><P></P><P><IMG __jive_id="20329" alt="PA-VM Topology.png" class="image-1 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/20329_PA-VM Topology.png" style="height: 545px; width: 620px;" /></P><P></P><P>Thanks!</P></BODY></HTML> Mon, 13 Jul 2015 19:04:12 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-vm-on-esxi-l2-topology-design-questions/m-p/15550#M11395 bkeifer 2015-07-13T19:04:12Z https://live.paloaltonetworks.com/t5/general-topics/pa-vm-on-esxi-l2-topology-design-questions/m-p/15551#M11396 <HTML><HEAD></HEAD><BODY><P style="font-size: 13px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><SPAN style="font-weight: inherit; font-style: inherit; font-size: 10pt; font-family: inherit;">- Does the protected port group on the vSphere DSwitch have to be VLAN ID 8 as well, or can I just leave it as VLAN type "None"?</SPAN></P><P style="font-size: 13px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><SPAN style="font-weight: inherit; font-style: inherit; font-size: 10pt; font-family: inherit;">Both sides will be none in your case.&nbsp; You only need to set tags if you have a Q tag port.&nbsp; In your design these are access ports so none is all you need to do.</SPAN></P><P style="font-size: 13px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><SPAN style="font-weight: inherit; font-style: inherit; font-size: 10pt; font-family: inherit;"><BR /></SPAN></P><P style="font-size: 13px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">- Is there anything extra I need to do to ensure that the HA pair will never accidentally create a loop between the two segments of the same network?</P><P style="font-size: 13px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">No, the passive device keeps the traffic interfaces up but never passing traffic.&nbsp; The PA will not participate in STP at all so all you need to do is make sure the switching system never puts the active device into a blocking port.</P><P style="font-size: 13px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"></P><P style="font-size: 13px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">- Are there any other considerations I need to know about in a deployment like this?</P><P style="font-size: 13px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">I have not used the VMs for HA but I assume you still need the HA ports connected to communicate state tables and the like.&nbsp; I don't see that in your setup here.</P><P></P><P>your may find the example for layer 2 HA in the Design guide helpful starting on page 80</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-2561">Designing Networks with Palo Alto Networks Firewalls</A></P></BODY></HTML> Tue, 14 Jul 2015 12:10:57 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-vm-on-esxi-l2-topology-design-questions/m-p/15551#M11396 pulukas 2015-07-14T12:10:57Z