Data center firewall design?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Data center firewall design?

L3 Networker

Hi All,

I have couple question in mind when I’m think about implementation PAN firewalls in Data center design. In reviewing design guide “Designing Networks with Palo Alto Networks Firewalls”, mostly where described perimeter firewall with upstream untrusted networks, exceptionally where we got hierarchical design with trunks between aggregation and core. But in most used scenarios by this guide, I cannot find such scenario, where is implemented aggregation and core in one layer.

Example: One customer has two L2/L3 switches with implemented VRRP, which is access, aggregation and core in same time.  Clients, servers and others, are divided into VLAN’s and they are terminated on L3 within same switches.

Questions:

In such design, is there possible to implement PAN and secure communication between VLAN’s, or redesign is needed?

If such design is supported, can you provide some configuration example?  

Thanks,

SBS

1 accepted solution

Accepted Solutions

Router on a stick is definitely preferred if you can make it happen!

However, I have seen some environments where the requirement was to keep the router interfaces on the L3 switch while still firewalling inter-VLAN traffic.  Additionally, due to the # of edge switches & connections, it was not feasible to place the Palo Alto Networks firewall physically in-line.  It is possible to logically insert a firewall into an environment like this as an L2-firewall "on a stick", but it requires some "creative" VLAN configuration.

Let's say you have 2 servers, 2 vlans, and an L3 switch routing between those VLANs like this:

server1 --- (vlan10) --- L3 Switch --- (vlan20) --- server2

The relevant parts of a Cisco L3 switch configuration would look something like this:

vlan 10

vlan 20

int gi1/0/1

  desc "connection to server 1"

  switchport 

  switchport mode access

  switchport access vlan 10

  no shut

int gi1/0/2

  desc "connection to server 2"

  switchport

  switchport mode access

  switchport access vlan 20

  no shut

interface vlan10

  ip address 10.1.10.1 255.255.255.0

interface vlan20

  ip address 10.1.20.1 255.255.255.0

In order to do "layer-2" firewalling on a stick, you need to move the IP address for VLAN10 out of VLAN10 and into a different VLAN (we'll use VLAN110 in this example).  Same thing for VLAN20, move the IP address out of that VLAN and into VLAN120.  We then configure the Palo Alto Networks firewall to do L2 bridging (aka VLAN tag re-write) between VLAN10 and VLAN110, and between VLAN20 and VLAN120.  That's pretty easy to do on the Firewall side of things.  If you have trouble figuring that part out, let us know.

The Cisco L3 switch configuration will change to look like this:

vlan 10

vlan 20

vlan 110

vlan 120

int gi1/0/1

  desc "connection to server 1"

  switchport 

  switchport mode access

  switchport access vlan 10

  no shut

int gi1/0/2

  desc "connection to server 2"

  switchport

  switchport mode access

  switchport access vlan 20

  no shut

int gi1/0/24

  desc "trunk to PaloAltoNetworks"

  switchport

  switchport mode trunk

  switchport trunk allowed vlan all

  no shut

interface vlan10

  no ip address

interface vlan 110

  ip address 10.1.10.1 255.255.255.0

interface vlan20

  no ip address

interface vlan120

  ip address 10.1.20.1 255.255.255.0

So now if server1 wants to send packets anywhere, this is what happens:

server1 arps for its default gateway.  The arp response doesn't come from the L3 switch in vlan10 because it doesn't have a virtual router interface in vlan10.  However, the arp broadcast gets sent out gi1/0/24 to the firewall, where the vlan tag 10 is stripped and tag 110 is added and sent back into the network.  The switch sees the ARP request from server1 in vlan110 and responds in vlan110.  That response is sent through the firewall where vlan tag 110 is stripped and vlan tag 10 is added.  Now, all traffic routing out of vlan10 must traverse the firewall at Layer2 before being routed by the L3 switch.

The end result is that traffic will be routed out of vlan10, but only after passing through through the firewall at layer2 - while keeping routing on the L3 switch itself. 

Hope that helps (and hope I described it well enough).   Like I said earlier, L3 firewall on a stick is preferred, but this can work as well.  

View solution in original post

11 REPLIES 11

L5 Sessionator

For  VLANs behind L2 switch you can set up PA firewall as a Router on a stick.

Not sure how PA could play a role in securing inter-VLAN traffic for the VLANs terminated on the L3 Switch.

Following References can be helpful.

Securing Inter VLAN Traffic

Layer 2 Networking

Hello Tician,

Apart from the tech knowledge shared by akawimandan, in regards to design questions our SE's should be glad to share your concerns and suggest you design.

Thanks

L4 Transporter

I think you need to readmit the questions that you need answered.


If all you want to know is if the PAN can be used as the L3 Gateway for your VLANs, the answer is yes.


Using the PAN for several VLANs as their gateway,  and create security zones between VLAN segments is a very simple setup:

1. Add  L3 "sub-interface" on the PAN in Network

2. Assign it the interface and assign a tag

3. Give it an ip address the the VLAN will be using as a gateway

4. Assign it a zone

5. create your policies


If you are asking how would create a setup like VRRP, I believe you are asking about how to do an HA Active/Active setup, or if you are asking if VRRP works with PAN firewalls, I don't think it will.


If you are trying to achieve redundancy between 2 switches and the PAN, you might look at LAG/MLAG between the switches and the PAN firewall.

The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries.

L3 Networker

The pan does not support the protocol VRRP as stated above.  However it can pass that traffic as well as it has its own redundancy protocol High Availability.  You can follow these doc's and video that will give you more information.  I

https://live.paloaltonetworks.com/docs/DOC-2926

https://live.paloaltonetworks.com/videos/1173

As far as design you can create aggregate links and add vlans with tags to separate the traffic.   Or you can set the pan up as a pass through with just tagged ports.  You will also need to keep in consideration if nat needs to be implemented on the pan or if it is happening some where else on the network.  You should consult your SE to help with design if you have any doubts.

Router on a stick is definitely preferred if you can make it happen!

However, I have seen some environments where the requirement was to keep the router interfaces on the L3 switch while still firewalling inter-VLAN traffic.  Additionally, due to the # of edge switches & connections, it was not feasible to place the Palo Alto Networks firewall physically in-line.  It is possible to logically insert a firewall into an environment like this as an L2-firewall "on a stick", but it requires some "creative" VLAN configuration.

Let's say you have 2 servers, 2 vlans, and an L3 switch routing between those VLANs like this:

server1 --- (vlan10) --- L3 Switch --- (vlan20) --- server2

The relevant parts of a Cisco L3 switch configuration would look something like this:

vlan 10

vlan 20

int gi1/0/1

  desc "connection to server 1"

  switchport 

  switchport mode access

  switchport access vlan 10

  no shut

int gi1/0/2

  desc "connection to server 2"

  switchport

  switchport mode access

  switchport access vlan 20

  no shut

interface vlan10

  ip address 10.1.10.1 255.255.255.0

interface vlan20

  ip address 10.1.20.1 255.255.255.0

In order to do "layer-2" firewalling on a stick, you need to move the IP address for VLAN10 out of VLAN10 and into a different VLAN (we'll use VLAN110 in this example).  Same thing for VLAN20, move the IP address out of that VLAN and into VLAN120.  We then configure the Palo Alto Networks firewall to do L2 bridging (aka VLAN tag re-write) between VLAN10 and VLAN110, and between VLAN20 and VLAN120.  That's pretty easy to do on the Firewall side of things.  If you have trouble figuring that part out, let us know.

The Cisco L3 switch configuration will change to look like this:

vlan 10

vlan 20

vlan 110

vlan 120

int gi1/0/1

  desc "connection to server 1"

  switchport 

  switchport mode access

  switchport access vlan 10

  no shut

int gi1/0/2

  desc "connection to server 2"

  switchport

  switchport mode access

  switchport access vlan 20

  no shut

int gi1/0/24

  desc "trunk to PaloAltoNetworks"

  switchport

  switchport mode trunk

  switchport trunk allowed vlan all

  no shut

interface vlan10

  no ip address

interface vlan 110

  ip address 10.1.10.1 255.255.255.0

interface vlan20

  no ip address

interface vlan120

  ip address 10.1.20.1 255.255.255.0

So now if server1 wants to send packets anywhere, this is what happens:

server1 arps for its default gateway.  The arp response doesn't come from the L3 switch in vlan10 because it doesn't have a virtual router interface in vlan10.  However, the arp broadcast gets sent out gi1/0/24 to the firewall, where the vlan tag 10 is stripped and tag 110 is added and sent back into the network.  The switch sees the ARP request from server1 in vlan110 and responds in vlan110.  That response is sent through the firewall where vlan tag 110 is stripped and vlan tag 10 is added.  Now, all traffic routing out of vlan10 must traverse the firewall at Layer2 before being routed by the L3 switch.

The end result is that traffic will be routed out of vlan10, but only after passing through through the firewall at layer2 - while keeping routing on the L3 switch itself. 

Hope that helps (and hope I described it well enough).   Like I said earlier, L3 firewall on a stick is preferred, but this can work as well.  

Hello jvalentine,

Thanks for your advised solution, your scenario seems closest what customer want... (retain L3 configuration and routing on switches).

Many customer with existing environments don't want to give firewalls to do routing jobs and they concerning in general, that routing on firewalls make significant overhead and maybe cause for potential performance issues.

To clarify this to customers and convince them to swap configuration, maybe right question is, how routing in general has performance impact on PAN firewalls?

L3(Routing) Firewalling has the same performance as L2(Switching) Firewalling.  Palo Alto Networks does not make a performance distinction between the two. 

Hi jvalentine,

I trying to make this scenario but from cisco perspective, they introduced spanning-tree loop between bridged vlan's 10 and 110. Is there some recommendation, how to cope with spanning tree issue. Can I simply disable STP on cisco for bridged vlan's or other solution is preferred?   

L3 Networker

I'm looking for the same design docs info.

Hi Valentine,

 

Thx for this interesting approach, could you point me into the direction of how I do the VLAN tag rewrite on the palo side.

I agree the best approach is moving SVI to palo but i would like to test  you suggestion.

 

Kind regards,

 

Frederik.

 

 

Hi Valentine,

 

Thank you for thi interesting approach, i would like to test this in lab.  Can you point me to a direction  on how to do the vlan tag rewriting on palo.

 

  • 1 accepted solution
  • 11042 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!