topic Re: Has anyone had success using Cisco Systems' Private VLANs and Palo Alto firewalls? in General Topics

Has anyone had success using Cisco Systems' Private VLANs and Palo Alto firewalls?

girvin — Tue, 10 Mar 2015 14:58:23 GMT

We have considered the benefits of Cisco Systems' Private VLANs (RFC 5517 - Cisco Systems)and taken a stab at implemented a test. the idea is that 192.168.2.100 and 192.168.2.101 are in separate private vlans, but may need to talk to each other and we would like the PA firewall to govern that communication

Re: Has anyone had success using Cisco Systems' Private VLANs and Palo Alto firewalls?

vcappuccio — Tue, 10 Mar 2015 18:16:42 GMT

Hi Girvin,

Is just another Vlan from our point of view. the link you provide mentions:

Such a mechanism allows end devices to share the same IP subnet while

being Layer 2 isolated, which in turn allows network designers to

employ larger subnets and so reduce the address management overhead.

Connecting the firewall on (2) L3 interfaces, assuming that the private promiscuous port does not accept trunking. the firewall could route between those 2 subnet and performing your security operations.

If the other device supports trunking of primary vlan over the trunk port, then our device just need to have that interface as l2 with appropriate vlan tag and route on L3 Assigned to Vlans.

In other words, the isolated and/or community vlans are just mapping of the primary Vlan and on the uplink port to the Firewall will be set to promiscuous mode, with the primary VLAN mapped to the secondary VLAN.

Thank you

Victor

Re: Has anyone had success using Cisco Systems' Private VLANs and Palo Alto firewalls?

android4255 — Mon, 13 Apr 2015 20:18:57 GMT

I have been successful in deploying this type of setup and communicating between secondary vlans that were associated with different primaries. What girvin is talking about is something I was trying to accomplish as well and was unsuccessful. I wanted to have 2 secondary vlans associated to the same primary and regulate communication between the two. The issue seems to be something to how the Palo Alto responds to proxy arp or lack thereof. My setup was like this:

Cisco Nexus:

interface e1/1

promiscuous trunk with correct mappings

PAN:

int e1/1 (tried with aggregate ethernet as well) > layer 2 > associate to a vlan I called vlan-bridge

int e1/1.100 > layer 2 > Tag 100 > vlan vlan.100 --> vlan.100 was then assigned an IP address.

Now that I think about it, the physical and subinterfaces were in the same security zone. I ran out of time and had to go a different route. I wonder if having them in different security zones would be the issue?

If anyone out there has some insight, please share.