topic Re: Best Placement Integration Approach in General Topics

Best Placement Integration Approach

Nikko — Tue, 26 Jan 2021 04:25:48 GMT

Hi Guys,

Just want to seek your inputs about what can be the best integration approach for this scenario.

Currently, the VLAN gateway is in my core switch and I will be introducing PA FW into my network. I want to have control and visibility for my intervlan switching, will the virtual-wire approach be the best for this scenario?

I am a bit not convinced if the virtual wire will be able to solve what I want for the intervlan because my current gateway is in the core switch.

Thanks

Re: Best Placement Integration Approach

aleksandar.astardzhiev — Tue, 26 Jan 2021 21:50:15 GMT

Hi @Nikko ,

With vwire you can achive your goal for inter-vlan traffic inspection/filtering. IMHO the only advantache of putting the PA in front of the core switch in vwire mode is that you will not have to change the default gateway for all of your vlans. You can event split the VLAN in separate sub-interfaces for the vwire Virtual Wire Subinterfaces (paloaltonetworks.com) - to have better control when building the policy.

BUT... The only problem with this approach would be that inter-vlan traffic will pass twise over your firewall:

- once from host a (in vlan a) to core switch

- second from core switch to dest b (in vlan b)

So you have to take under the consideration when building your policy that you need two rules.

And eventually if the device can handle the performance.

Re: Best Placement Integration Approach

BPry — Tue, 26 Jan 2021 21:50:18 GMT

@Nikko,

If you're going to be using a v-wire configuration you need the traffic to actually cross the v-wire link. To really answer this you'll need to provide a network diagram and some additional information about how your network is actually configured.