This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Connecting L3 Port of Palo Alto to the Switch

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Connecting L3 Port of Palo Alto to the Switch

harmander
L0 Member

‎08-30-2016 10:02 PM

Hi there,

 

On Palo Alto I have configured L3 interface and assgined ip address to it. I would like to connect this interface to the switch. The switch has an SVI configured with the port in the same vlan as the SVI. Can I connect the Palo Alto interface to the switch port which is configured with a vlan or do I need to make the switch port as a routing port.

 

Thanks Guys

0 Likes Likes
2 REPLIES 2

reaper
Cyber Elite
Cyber Elite

‎08-31-2016 01:49 AM

Hi!

 

the firewall does not participate in STP so layer2 SVI bridging does not work, you can choose either 

  •  access port in the svi vlan and add routes that point to the SVI
  •  routed port
  •  different design: 
    • you can also create several (tagged) subinterfaces on the firewall and connect it to a trunk port on the switch and let the firewall do the routing, that way you can inspect inter-vlan traffic
    • the firewall also functions in layer2 mode with a layer3 (firewall version of vsi) function you can enable

 

hope this helps

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

darren_g
L4 Transporter

‎08-31-2016 03:37 PM

@harmander wrote:

Hi there,

 

On Palo Alto I have configured L3 interface and assgined ip address to it. I would like to connect this interface to the switch. The switch has an SVI configured with the port in the same vlan as the SVI. Can I connect the Palo Alto interface to the switch port which is configured with a vlan or do I need to make the switch port as a routing port.

 

Thanks Guys

 

I do exactly that on my core switches to allow for the HA configuration.

 

Firewall is configured with an L3 interface, switch cluster is configured with an RVI (Juniper speak, not Cisco), each port for the firewall is a simple access port in the associated VLAN for the RVI. I just post routes to the RVI address.

 

That way, it doesn't matter which firewall is active at the time - both are connected into the same routes, and an ARP flood when HA failover occurs means I rarely even lose a packet in the event of a HA event.

0 Likes Likes
  • 2973 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks