topic Re: PVLAN with Palo Alto? in General Topics

PVLAN with Palo Alto?

jsalmans — Sun, 09 Dec 2018 04:43:50 GMT

I'm looking at doing some re-design for our DC networks and wanted to investigate some further segmentation. Since we aren't really large enough for NSX or ACI I wanted to look at PVLAN.

I've got some Nexus9K switches with Layer 3 licensing in HA and had originally thought to use them as the gateway for the DC networks. Now though I'm wondering if it wouldn't be just as easy to keep them strictly as Layer 2 and use the Palo Alto A/S HA as the Layer 3 gateway. What I'm not sure on is whether I can do this with a PVLAN configuration? My research on the Cisco whitepaper for PVLAN indicates the container VLAN and all of the isolated/community/etc VLANs have to be tagged to the device with the PVLAN gateway. If that is the case, how to I tell my PAN boxes to treat those as PVLAN and not require an interface or subinterface with IP for anything but the container VLAN?

Thanks!

Re: PVLAN with Palo Alto?

BPry — Mon, 10 Dec 2018 04:00:30 GMT

@jsalmans,

Are your switches licensed to do VRFs? That might be an easier setup than what you are proposing here while keeping everything isolated.

Re: PVLAN with Palo Alto?

jsalmans — Mon, 10 Dec 2018 06:08:03 GMT

@BPry

VRFs are possible and may be an option but I would imagine I'd need to create one per server for true DC host isolation. PVLANs seem much easier to scale since it seems to mostly be a one-and-done configuration on the Layer 2 side.

Re: PVLAN with Palo Alto?

OtakarKlier — Mon, 10 Dec 2018 15:55:31 GMT

Hello,

I have also worked with this hardware in the past and here is what we did. We created a zone and assigned a subnet to it 192.168.0.0/24. We then carved up the subnet into /29's but kept them in the same zone. Since we have a DENY ALL policy at the bottom of our list prior to the intra zone policy, Unless we explicity allow the traffic between two /29's in the same zone, all traffic is blocked. We found this to be easier than the pvlan option with similar results.

We wanted as close to a zero trust scenario as possible and this was the best one we can up with. All traffic into and out of hte zone /29 is inspected and monitored. and the 9k's only trunk up to the PAN.

Please let me know if you would like additional details.

Re: PVLAN with Palo Alto?

jsalmans — Mon, 10 Dec 2018 16:23:51 GMT

@OtakarKlier thanks for the reply.

I believe that still burns some exrtra IP addresses... not a big deal on privates but some of these networks may end up on publics. I did see another way to do something like that... OVH has an article on how to configure hosts on their network using network bridging. It looks like they have you assign /32 addresses to each host and the gateway exists outside of that subnet so you have to create a static route for it. I wasn't crazy about that solution because it requires extra config on the hosts.

I also found this but I'm not clear from the replies if someone got it to work or not:

https://live.paloaltonetworks.com/t5/General-Topics/Has-anyone-had-success-using-Cisco-Systems-Private-VLANs-and/m-p/30641#M22429

If PVLAN won't work directly on the firewall, my fallback option is to put the SVIs on our Nexus9K and then use policy-based routing to push the traffic the rest of the way to the firewall. It's an extra hop but the Cisco equipment can handle the traffic isolation and push the traffic to the firewall when it receives it.

Re: PVLAN with Palo Alto?

OtakarKlier — Mon, 10 Dec 2018 16:31:22 GMT

Hello,

You are correct on burning ip's by subnetting. I think its a good question to reach out to your SE to see what they suggest. I'd be interested in the answer myself.

Regards,