06-03-2011 05:36 AM
Hello!
We need to implement Palo 5050 in data center with Cisco Nexus 7k infrastructure and 10 Gbps interfaces. Is following design ok?
One 10 Gbps interface on N7k connected to Palo will be trunk (allowing vlan tags: 2, 3, 4). Second 10 Gbps interface on N7k also will be trunk allowing vlans: 12, 13, 14.
Is it possible to configure Palo for bridging traffic between vlans 2 and 12, 3 and 13, 4 and 14? I thought to configure 3 L2 subinterfaces on each 10Gbps interface and put each L2 subinterface in its own zone. Each pair of subinterfaces will be put in its own virtual firewall and have its own set of rules. For vlans 12, 13 and 14 on N7k there will be 3 L3 vlan interfaces with addresses from address spaces in vlans 2, 3 and 4 (vlan interfaces will be default gateways for servers in vlans 2, 3 and 4).
If it is not ok, do you have some recommendations and configuration examples for Palo in Data Center enviroments?
Thank you and best regards,
Maja
06-03-2011 07:29 AM
Maja,
Yes this is possible to do.
Process:
Create your Virtual Firewall instances
Create your Layer 2 sub-interfaces and tag the VLANs accordingingly and assign to the appropriate vsys
Create a bridge VLAN that contains both interfaces within the appropriate vsys
Create zones for each layer 2 VLAN from the Ciscos wtihin the appropriate vsys
Create your policies to pass traffic between zones within the appropriate vsys
That should get you up and running on the layer 2 vlans.
James
06-03-2011 11:14 AM
As a follow up to this can anyone comment on best practices as far as integrating PAN into the data center ? Is the bridging between VLANs mode as described above recommended? Does anyone have experience allowing the PAN to participate as an L3 device in the data center? I understand that there are some caveats to each method regarding particularly when considering multicast support and zone based rule sets/policy configurations.
We've recently purchased an HA pair of PA 5050s. We are planning to utilize the devices in cooperation with some Cisco core switching hardware and VRF lite to segment/secure internal traffic as well as traffic to the Internet. We've had conversations with our local SE and some other customers about how best to integrate. We plan on testing each of the different options, but I'm curious how other folks have accomplished similar data center/core firewall implementations. Thanks in advance for your feedback - Bill
09-09-2011 11:48 AM
I've been doing some testing with Dual Nexus 7ks with a vPC port-channel to the PA-5050 in layer 2 mode. I'm running into STP blocks on my Nexus 7K seeing vlan inconsistencies. I’m guessing this is because when I bridge the VLANS together my switch is seeing the Spanning tree BPDU’s leave on the “internal” vlan and sees those same BPDUs enter on the “outside” VLAN and starts blocking on the port-channel interface with an “Inconsistent local vlan” error. If I disable spanning-tree from the internal vlan it lifts the blocks and the traffic bridges through the PA Firewall as expected, it just seems like there is a better way to accomplish this without having to disable spanning-tree.
09-09-2011 10:46 PM
Hi,
Attached doc from knowledge point maybe a good reference for you guys.
Yes you need to disable spanning tree as the BPDU will cause problem.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
