topic Re: Best practice for Palo Alto Uplink in General Topics

Best practice for Palo Alto Uplink

poekbradley — Tue, 28 Aug 2018 14:16:21 GMT

We are looking to deploy our new boxes (PA-3220) in HA in the next few weeks. We are trying to go with best practice methods.

Currently, we have an Layer 2 ae interface that has multiple subinterfaces. Each subinterface is tagged with a Layer 3 SVI. The VLAN interfaces are IP'd and added to the Virtual Router.

Example -

Ethernet Tab:

Interface IP Address Tag VLAN Security Zone

ae2 none Untagged INTERNAL none

ae2.501 none 501 INTERNAL none

ae2.502 none 502 DMZ1 none

ae2.503 none 503 DMZ2 none

ae2.504 none 504 DMZ3 none

VLAN Tab:

Interface IP Address Virtural Router Tag VLAN Security Zone

vlan none none

vlan.501 10.1.1.1/24 VR1 Untagged INTERNAL INTERNAL

vlan.502 172.16.1.1/24 VR1 Untagged DMZ1 DMZ1

vlan.503 192.168.1.1/24 VR1 Untagged DMZ2 DMZ2

vlan.504 172.17.1.1/24 VR1 Untagged DMZ3 DMZ3

My question is, should we have the above setup or should we just have the ae interface as layer 3 with subinterfaces and tagged VLANs across that interface?

Thank you for your insight.

Re: Best practice for Palo Alto Uplink

OtakarKlier — Tue, 28 Aug 2018 16:45:37 GMT

Hello,

This is something I have put a lot of thought into as well. In my experience it took a bit more time to setup the way you are doing it, but in the long run it was the correct choice for my deployments. What it gives you is a lot more flexibility in the future if you want to change things, I think.

The way you have it outlined is how I would deploy as well.

Hope that helps.

Re: Best practice for Palo Alto Uplink

BPry — Wed, 29 Aug 2018 00:15:42 GMT

@poekbradley,

I'll agree with @OtakarKlier and say that the way you want to go is the proper setup for most deployments. I've seen a lot of people start with a layer-3 interface and just route all outside traffic to the firewall; they then either switch things around with a major re-architecture to get to what you are describing here or they'll break things off via VRF and more layer3 interfaces.

Starting off with a layer2 interface and simply using subinterfaes to terminate the VLANs is simply just going to be better, and provide more flexibility going forward as far as adding VLANs or making other changes go.