03-10-2015 07:58 AM
We have considered the benefits of Cisco Systems' Private VLANs (RFC 5517 - Cisco Systems)and taken a stab at implemented a test. the idea is that 192.168.2.100 and 192.168.2.101 are in separate private vlans, but may need to talk to each other and we would like the PA firewall to govern that communication
03-10-2015 11:16 AM
Is just another Vlan from our point of view. the link you provide mentions:
Such a mechanism allows end devices to share the same IP subnet while
being Layer 2 isolated, which in turn allows network designers to
employ larger subnets and so reduce the address management overhead.
Connecting the firewall on (2) L3 interfaces, assuming that the private promiscuous port does not accept trunking. the firewall could route between those 2 subnet and performing your security operations.
If the other device supports trunking of primary vlan over the trunk port, then our device just need to have that interface as l2 with appropriate vlan tag and route on L3 Assigned to Vlans.
In other words, the isolated and/or community vlans are just mapping of the primary Vlan and on the uplink port to the Firewall will be set to promiscuous mode, with the primary VLAN mapped to the secondary VLAN.
04-13-2015 01:18 PM
I have been successful in deploying this type of setup and communicating between secondary vlans that were associated with different primaries. What girvin is talking about is something I was trying to accomplish as well and was unsuccessful. I wanted to have 2 secondary vlans associated to the same primary and regulate communication between the two. The issue seems to be something to how the Palo Alto responds to proxy arp or lack thereof. My setup was like this:
promiscuous trunk with correct mappings
int e1/1 (tried with aggregate ethernet as well) > layer 2 > associate to a vlan I called vlan-bridge
int e1/1.100 > layer 2 > Tag 100 > vlan vlan.100 --> vlan.100 was then assigned an IP address.
Now that I think about it, the physical and subinterfaces were in the same security zone. I ran out of time and had to go a different route. I wonder if having them in different security zones would be the issue?
If anyone out there has some insight, please share.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!