This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Best practice for Palo Alto Uplink

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Best practice for Palo Alto Uplink

poekbradley
L0 Member

‎08-28-2018 07:16 AM

We are looking to deploy our new boxes (PA-3220) in HA in the next few weeks. We are trying to go with best practice methods. 

 

Currently, we have an Layer 2 ae interface that has multiple subinterfaces. Each subinterface is tagged with a Layer 3 SVI. The VLAN interfaces are IP'd and added to the Virtual Router. 

 

Example -

Ethernet Tab:

Interface          IP Address             Tag                     VLAN                 Security Zone

ae2                   none                      Untagged           INTERNAL        none

ae2.501           none                      501                     INTERNAL        none

ae2.502           none                      502                     DMZ1                none

ae2.503           none                      503                     DMZ2                none

ae2.504           none                      504                     DMZ3                none

 

VLAN Tab:

Interface          IP Address             Virtural Router   Tag                VLAN            Security Zone

vlan                  none                       none

vlan.501          10.1.1.1/24            VR1                     Untagged     INTERNAL    INTERNAL

vlan.502          172.16.1.1/24       VR1                     Untagged     DMZ1            DMZ1

vlan.503          192.168.1.1/24     VR1                     Untagged     DMZ2            DMZ2

vlan.504          172.17.1.1/24       VR1                     Untagged     DMZ3            DMZ3

 

My question is, should we have the above setup or should we just have the ae interface as layer 3 with subinterfaces and tagged VLANs across that interface?

 

Thank you for your insight.

0 Likes Likes
2 REPLIES 2

OtakarKlier
Cyber Elite
Cyber Elite

‎08-28-2018 09:45 AM

Hello,

This is something I have put a lot of thought into as well. In my experience it took a bit more time to setup the way you are doing it, but in the long run it was the correct choice for my deployments. What it gives you is a lot more flexibility in the future if you want to change things, I think. 

 

The way you have it outlined is how I would deploy as well.

 

Hope that helps.

BPry
Cyber Elite
Cyber Elite

‎08-28-2018 05:15 PM

@poekbradley,

I'll agree with @OtakarKlier and say that the way you want to go is the proper setup for most deployments. I've seen a lot of people start with a layer-3 interface and just route all outside traffic to the firewall; they then either switch things around with a major re-architecture to get to what you are describing here or they'll break things off via VRF and more layer3 interfaces.

Starting off with a layer2 interface and simply using subinterfaes to terminate the VLANs is simply just going to be better, and provide more flexibility going forward as far as adding VLANs or making other changes go. 

0 Likes Likes
  • 2248 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks