07-01-2018 11:44 PM
Hi all, I'm hoping someone can help me avoid a huge overhaul and outage window of our DMZ network...
Our DMZ gateway is currently a Palo interface with GlobalProtect enabled on it. Servers on the DMZ are at a remote site connected via a Layer 2 spanned VLAN. We intend to decommission this L2 link and move to a L3 VPN service. We have an entire public class C IP range to play with but I am a little stuck as to how to manage this transition as smoothly as possibly.
Am I able to simply advertise a /32 route to the DMZ gateway address for GlobalProtect VPN traffic and another static route to forward the /24 range to a dummy subnet that directs any remaining DMZ traffic over the L3 service? If I could get away with this then I guess I will need to assign an IP in the DMZ range to the router servicing the DMZ servers and modify gateway IPs on all DMZ servers to point to the new IP assignment but is there anything fundamental I haven't considered or may have overlooked? I'm concerned that I will need to start from scratch and split the /24 subnet up which in turn I think will mean many more VLANs and changes on the infrastructure hosting the DMZ servers that I would preferably like to avoid.
Appreciate any advice or wisdom you can offer. TIA
07-08-2018 09:47 AM
A little confusing 😛
As I understand the existing vlan is spanned all the way to the paloalto where the L3 interface of that vlan resides? Was your plan to avoid a maintenance window completely?
If you now want to move to a L3 vpn service the best way I see to fo this is do this alltogether in one maintanance window to avoid doing changes on all your DMZ servers. But before doing this maintenance windows move the GP service to a loopback interface.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!