topic Re: PA in VWire mode between trunked ports in General Topics

PA in VWire mode between trunked ports

kalyanram.piratla — Thu, 08 Nov 2012 11:25:19 GMT

Greetings,

Before, I get to the matter, I have browsed through the discussions and did find solutions. But I am unable to understand a few concepts.

I have a scenario where;

1. The present firewall is a virtual firewall hosted on an ESXi Server.

2. Links are from Core to the ESXi Server.

3. Two ports used on the ESXi Server are trunked ports.

4. The Palo Alto will have to be placed in-line between the Core and the ESXi Server.

I have 4 interfaces configured for VWire (2 for trust and 2 for untrust). Now, since the two ethernet cables are trunked, how can I get the Palo Alto to send traffic through. After reading a few documents on the portal, I understand that we can use "Tag" in the VWire profile.

This is where I am confused between tag / untagged and trunk ports.

What and how should I have to configure for PA to allow traffic to go through the ESXi server? Apologies, I know this is a very stupid question. Always learning though.

Any suggestions will be helpful.

Many Thanks

Kalyan

Re: PA in VWire mode between trunked ports

UhMayYeah — Fri, 09 Nov 2012 07:21:04 GMT

To allow specific VLAN tags, add that tag number under 'allowed tags' field in Vwire. For a trunk to be passed through, allow all tags '0-4094'. [Network>Virtual Wires>Click on desired Vwire> Tag Allowed>Type in 0-4094 to allow trunked traffic.

Ref:https://live.paloaltonetworks.com/docs/DOC-2729

-Ameya

Re: PA in VWire mode between trunked ports

msullivan — Fri, 09 Nov 2012 22:22:34 GMT

So if I understand, by trunked ports, you are talking about link aggregation right? So if ae1 faces the core and ae2 face the esx host, configure 2 ethernet interfaces per aggregate interface. Maybe like this?

set network interface ethernet ethernet1/4 aggregate-group ae1

set network interface ethernet ethernet1/4 link-speed auto

set network interface ethernet ethernet1/4 link-duplex auto

set network interface ethernet ethernet1/4 link-state auto

set network interface ethernet ethernet1/5 aggregate-group ae1

set network interface ethernet ethernet1/5 link-speed auto

set network interface ethernet ethernet1/5 link-duplex auto

set network interface ethernet ethernet1/5 link-state auto

set network interface ethernet ethernet1/6 aggregate-group ae2

set network interface ethernet ethernet1/6 link-speed auto

set network interface ethernet ethernet1/6 link-duplex auto

set network interface ethernet ethernet1/6 link-state auto

set network interface ethernet ethernet1/7 aggregate-group ae2

set network interface ethernet ethernet1/7 link-speed auto

set network interface ethernet ethernet1/7 link-duplex auto

set network interface ethernet ethernet1/7 link-state auto

Then set up the ae interfaces:

set network interface aggregate-ethernet ae1 comment in

set network interface aggregate-ethernet ae1 virtual-wire

set network interface aggregate-ethernet ae2 comment out

set network interface aggregate-ethernet ae2 virtual-wire

Zones... however makes sense.

set zone trust network virtual-wire ae1

set zone untrust network virtual-wire ae2

Then set what vlans you want to carry on the virtual wire:

set network virtual-wire vw-esx multicast-firewalling enable no

set network virtual-wire vw-esx link-state-pass-through enable yes

set network virtual-wire vw-esx tag-allowed 10,20,30

set network virtual-wire vw-esx interface1 ae1

set network virtual-wire vw-esx interface2 ae2

Good luck,

Mike

Re: PA in VWire mode between trunked ports

kalyanram.piratla — Mon, 12 Nov 2012 09:38:15 GMT

Ameya - This does not help mate.. since it is link aggregration.

Mike - I will be testing your suggestion shortly. Hopefully it works.

Cheers..

Re: PA in VWire mode between trunked ports

kalyanram.piratla — Mon, 12 Nov 2012 11:19:26 GMT

It completely slipped out my mind. I am using a PA-500 and link aggregation is not supported on the PA-500 unless I upgrade to version 5.0. My BAD...!!!

Am I correct in thinking that Link aggregation is supported on the PA-500 in version 5.0..??

Re: PA in VWire mode between trunked ports

mikand — Mon, 12 Nov 2012 17:24:04 GMT

At least according to the release notes for 5.0.0 (regarding new networking features):

Link Aggregation – The PA-500 and PA-2000 Series devices now support link aggregation. Note that link aggregation on virtual wire interfaces is not supported on the PA-2000 Series due to a hardware limitation. By assigning common ingress and common egress zones, two or more virtual wires may still be used on the PA-2000 Series in environments where adjacent devices are performing link aggregation.

Re: PA in VWire mode between trunked ports

kalyanram.piratla — Tue, 13 Nov 2012 17:04:20 GMT

True.. I read it as well. But was unsure on should I proceed in doing this or not by upgrading to v5 as the palo alto will be sitting in-line in virtual wire mode.

Re: PA in VWire mode between trunked ports

emr_1 — Wed, 14 Nov 2012 04:13:59 GMT

How about this one:

Cisco Link Aggregation Traffic Through a PAN Device

Make sure you configure exactly same zone in two vwires.