topic Re: Data center firewall design? in General Topics

Data center firewall design?

Tician — Mon, 09 Sep 2013 10:27:58 GMT

Hi All,

I have couple question in mind when I’m think about implementation PAN firewalls in Data center design. In reviewing design guide “Designing Networks with Palo Alto Networks Firewalls”, mostly where described perimeter firewall with upstream untrusted networks, exceptionally where we got hierarchical design with trunks between aggregation and core. But in most used scenarios by this guide, I cannot find such scenario, where is implemented aggregation and core in one layer.

Example: One customer has two L2/L3 switches with implemented VRRP, which is access, aggregation and core in same time. Clients, servers and others, are divided into VLAN’s and they are terminated on L3 within same switches.

Questions:

In such design, is there possible to implement PAN and secure communication between VLAN’s, or redesign is needed?

If such design is supported, can you provide some configuration example?

Thanks,

SBS

Re: Data center firewall design?

UhMayYeah — Mon, 09 Sep 2013 12:44:42 GMT

For VLANs behind L2 switch you can set up PA firewall as a Router on a stick.

Not sure how PA could play a role in securing inter-VLAN traffic for the VLANs terminated on the L3 Switch.

Following References can be helpful.

Securing Inter VLAN Traffic

Layer 2 Networking

Re: Data center firewall design?

Phoenix — Mon, 09 Sep 2013 15:24:13 GMT

Hello Tician,

Apart from the tech knowledge shared by akawimandan, in regards to design questions our SE's should be glad to share your concerns and suggest you design.

Thanks

Re: Data center firewall design?

craymond — Mon, 09 Sep 2013 19:16:58 GMT

I think you need to readmit the questions that you need answered.

If all you want to know is if the PAN can be used as the L3 Gateway for your VLANs, the answer is yes.

Using the PAN for several VLANs as their gateway, and create security zones between VLAN segments is a very simple setup:

1. Add L3 "sub-interface" on the PAN in Network

2. Assign it the interface and assign a tag

3. Give it an ip address the the VLAN will be using as a gateway

4. Assign it a zone

5. create your policies

If you are asking how would create a setup like VRRP, I believe you are asking about how to do an HA Active/Active setup, or if you are asking if VRRP works with PAN firewalls, I don't think it will.

If you are trying to achieve redundancy between 2 switches and the PAN, you might look at LAG/MLAG between the switches and the PAN firewall.

Re: Data center firewall design?

nayubi — Mon, 09 Sep 2013 20:52:02 GMT

The pan does not support the protocol VRRP as stated above. However it can pass that traffic as well as it has its own redundancy protocol High Availability. You can follow these doc's and video that will give you more information. I

https://live.paloaltonetworks.com/docs/DOC-2926

https://live.paloaltonetworks.com/videos/1173

As far as design you can create aggregate links and add vlans with tags to separate the traffic. Or you can set the pan up as a pass through with just tagged ports. You will also need to keep in consideration if nat needs to be implemented on the pan or if it is happening some where else on the network. You should consult your SE to help with design if you have any doubts.

Re: Data center firewall design?

jvalentine — Tue, 10 Sep 2013 01:35:38 GMT

Router on a stick is definitely preferred if you can make it happen!

However, I have seen some environments where the requirement was to keep the router interfaces on the L3 switch while still firewalling inter-VLAN traffic. Additionally, due to the # of edge switches & connections, it was not feasible to place the Palo Alto Networks firewall physically in-line. It is possible to logically insert a firewall into an environment like this as an L2-firewall "on a stick", but it requires some "creative" VLAN configuration.

Let's say you have 2 servers, 2 vlans, and an L3 switch routing between those VLANs like this:

server1 --- (vlan10) --- L3 Switch --- (vlan20) --- server2

The relevant parts of a Cisco L3 switch configuration would look something like this:

vlan 10

vlan 20

int gi1/0/1

desc "connection to server 1"

switchport

switchport mode access

switchport access vlan 10

no shut

int gi1/0/2

desc "connection to server 2"

switchport

switchport mode access

switchport access vlan 20

no shut

interface vlan10

ip address 10.1.10.1 255.255.255.0

interface vlan20

ip address 10.1.20.1 255.255.255.0

In order to do "layer-2" firewalling on a stick, you need to move the IP address for VLAN10 out of VLAN10 and into a different VLAN (we'll use VLAN110 in this example). Same thing for VLAN20, move the IP address out of that VLAN and into VLAN120. We then configure the Palo Alto Networks firewall to do L2 bridging (aka VLAN tag re-write) between VLAN10 and VLAN110, and between VLAN20 and VLAN120. That's pretty easy to do on the Firewall side of things. If you have trouble figuring that part out, let us know.

The Cisco L3 switch configuration will change to look like this:

vlan 10

vlan 20

vlan 110

vlan 120

int gi1/0/1

desc "connection to server 1"

switchport

switchport mode access

switchport access vlan 10

no shut

int gi1/0/2

desc "connection to server 2"

switchport

switchport mode access

switchport access vlan 20

no shut

int gi1/0/24

desc "trunk to PaloAltoNetworks"

switchport

switchport mode trunk

switchport trunk allowed vlan all

no shut

interface vlan10

no ip address

interface vlan 110

ip address 10.1.10.1 255.255.255.0

interface vlan20

no ip address

interface vlan120

ip address 10.1.20.1 255.255.255.0

So now if server1 wants to send packets anywhere, this is what happens:

server1 arps for its default gateway. The arp response doesn't come from the L3 switch in vlan10 because it doesn't have a virtual router interface in vlan10. However, the arp broadcast gets sent out gi1/0/24 to the firewall, where the vlan tag 10 is stripped and tag 110 is added and sent back into the network. The switch sees the ARP request from server1 in vlan110 and responds in vlan110. That response is sent through the firewall where vlan tag 110 is stripped and vlan tag 10 is added. Now, all traffic routing out of vlan10 must traverse the firewall at Layer2 before being routed by the L3 switch.

The end result is that traffic will be routed out of vlan10, but only after passing through through the firewall at layer2 - while keeping routing on the L3 switch itself.

Hope that helps (and hope I described it well enough). Like I said earlier, L3 firewall on a stick is preferred, but this can work as well.

Re: Data center firewall design?

Tician — Tue, 10 Sep 2013 10:34:20 GMT

Hello jvalentine,

Thanks for your advised solution, your scenario seems closest what customer want... (retain L3 configuration and routing on switches).

Many customer with existing environments don't want to give firewalls to do routing jobs and they concerning in general, that routing on firewalls make significant overhead and maybe cause for potential performance issues.

To clarify this to customers and convince them to swap configuration, maybe right question is, how routing in general has performance impact on PAN firewalls?

Re: Data center firewall design?

jvalentine — Tue, 10 Sep 2013 14:53:19 GMT

L3(Routing) Firewalling has the same performance as L2(Switching) Firewalling. Palo Alto Networks does not make a performance distinction between the two.

Re: Data center firewall design?

Tician — Tue, 24 Sep 2013 10:09:49 GMT

Hi jvalentine,

I trying to make this scenario but from cisco perspective, they introduced spanning-tree loop between bridged vlan's 10 and 110. Is there some recommendation, how to cope with spanning tree issue. Can I simply disable STP on cisco for bridged vlan's or other solution is preferred?

Re: Data center firewall design?

treese — Wed, 27 Apr 2016 14:36:36 GMT

I'm looking for the same design docs info.

Re: Data center firewall design?

GOMEZZZ — Tue, 20 Oct 2020 15:50:59 GMT

Hi Valentine,

Thx for this interesting approach, could you point me into the direction of how I do the VLAN tag rewrite on the palo side.

I agree the best approach is moving SVI to palo but i would like to test you suggestion.

Kind regards,

Frederik.

Re: Data center firewall design?

GOMEZZZ — Tue, 20 Oct 2020 16:03:19 GMT

Hi Valentine,

Thank you for thi interesting approach, i would like to test this in lab. Can you point me to a direction on how to do the vlan tag rewriting on palo.