Has anyone had success using Cisco Systems' Private VLANs and Palo Alto firewalls?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Has anyone had success using Cisco Systems' Private VLANs and Palo Alto firewalls?

L0 Member

We have considered the benefits of Cisco Systems' Private VLANs (RFC 5517 - Cisco Systems)and taken a stab at implemented a test. the idea is that and are in separate private vlans, but may need to talk to each other and we would like the PA firewall to govern that communication


L3 Networker

Hi Girvin,

Is just another Vlan from our point of view. the link you provide mentions:

   Such a mechanism allows end devices to share the same IP subnet while

   being Layer 2 isolated, which in turn allows network designers to

   employ larger subnets and so reduce the address management overhead.


Connecting the firewall on (2)  L3 interfaces, assuming  that the private promiscuous port does not accept trunking. the firewall could route between those 2 subnet and performing your security operations. 

If the other device supports trunking of primary vlan over the trunk port, then our device just need to have that interface as l2 with appropriate vlan tag and route on L3 Assigned to Vlans.

In other words, the isolated and/or community vlans are just mapping of the primary Vlan and on the uplink port to the Firewall will be set to promiscuous mode, with the primary VLAN mapped to the secondary VLAN.

Thank you


I have been successful in deploying this type of setup and communicating between secondary vlans that were associated with different primaries.  What girvin is talking about is something I was trying to accomplish as well and was unsuccessful.  I wanted to have 2 secondary vlans associated to the same primary and regulate communication between the two.  The issue seems to be something to how the Palo Alto responds to proxy arp or lack thereof.  My setup was like this:

Cisco Nexus:

interface e1/1

promiscuous trunk with correct mappings


int e1/1 (tried with aggregate ethernet as well) > layer 2 > associate to a vlan I called vlan-bridge

int e1/1.100 > layer 2 > Tag 100 > vlan vlan.100 --> vlan.100 was then assigned an IP address.

Now that I think about it, the physical and subinterfaces were in the same security zone.  I ran out of time and had to go a different route.  I wonder if having them in different security zones would be the issue?

If anyone out there has some insight, please share.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!