extending vlan

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

extending vlan

L4 Transporter

Hi,

 

I have two pa device , if . Both are in two differnet site . and I want to access the device in vlan10  from one site to another . 

How can i do that .

 

 

vlan 10 ----fw1 --------------fw2---vlan 10 

Thanks

 

13 REPLIES 13

L4 Transporter

Hi @simsim ,

 

Are you refferring to L2 extention and will be using same network on both ends?( you are expecting a solution like psuedowire ?)

Do you have layer 2 or layer 3 connection between sites?

Is connection over internet and IPSec VPN?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi,

 

I am having l3 connection between sites 

 

Thanks

Hi,

Not same network , the gateway is in site b.From site a  I want to reach site B

 

Thanks 

Assuming that you configure IPSec VPN between sites then you need to add route to peer site into virtual router and allow this traffic in security policy.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hello,

Are the vlans IP'ed the same way? i.e. 192.168.2.0/24 or do they have different subnets and just the same vlan tag?

 

Please advise,

L1 Bithead

The best way I've been able to do this is by having a different subnet at each location such as this: 10.10.1.0/24 and 10.30.1.0/24.  I create a L3-Interface on both firewalls and create the necessary routers.  I then created a rule in Panorama and applied it to both firewalls like so:  Trust=>RemoveOffices(10.10.1.0/24,10.30.1.0/24); App-ID: Any, Service: Any => Trust=>RemoteOffices(10.10.1.0/24, 10.30.1.0/24); App-ID: Any, Service: Any.  When applied to both sets of firewalls you'll get a psuedo VLAN extention.  To make it scale a little, create an Address Group named something like: VLAN1.  Then reference that in any rule you create.  You must always include Remote-Office (To and/or From) as appropriate.  This will allow all traffic originated on VLAN1 on site1 to VLAN1 on site2 (simulates an extended VLAN between sites).

 

I've used this and it works quite well.  The only gotcha you need to be careful of is when specifying the Interface between firewalls.  I use a dedicated Interface or Tunnel and keep my routes very specific only to the other site.  Any other routes should probably not traverse that link unless it absolutely needs to.

 

Good Luck!

Hi,

 

Why do I need a virtual router ? 

 

Thanks

Hi,

Same ip and same vlan tag

Thanks

Hello,

They cannot be the same IP address for management. If you are doing HA A/P, then the interface will have the same IP but the passive will be shut down since they are 'passive'.

 

Hope that helps.

Hi,

 

Sorry for the confusion , I am not talking about the management ip . What I mean is  vlan is same in both sites 

 

Thanks

Hi @simsim ,

 

I feel there is a communication gap. hope you need to explain the requirment bit detail.

If you are using different ip segment in both locations, you can have ipsec between two sites, and route the segments through tunnel in both firewall and have a proper security policy.

 

As vlan is just local to local network, you have L3 connectivity between two locations(and as per commends, you are using diffrent ip segments in both locations), need not to bother about vlan much.

 

But if you need a L2 extension like psuedowire ( L2VPN), i dont thing PA is having it now.

If you have Layer 3 in between then it does not matter at all if vlan number is the same or not.

Important is if your IP subnet is the same. In your case it seems to be.

 

All you have to do is to use NAT at both sides to overcome it.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClNxCAK

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 7918 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!