02-11-2016 12:41 PM
5050 at ver 6.1.9
Hello all! You may want to sit down for this one. We have a core router that conects to a single layer 3 10GB port on a 5050 as the internet gateway. The 5050 also has several server netwks attached via 1gb ports. Again these ports are layer 3 and act as the gateway for these networks.. All connections on the 5050 are now layer 3 interfaces. We are trying to migrate away from our current ISP connection on the 5050 to new connections off of the core router and we are looking at migrating our existing servers from 1gb to 10gb thru the core routers. All the while allowing the 5050 to examine traffic. 1) We would like to keep this 10gb port on the 5050 as a default route. 2) We would like to extend the existing 5050 server netwks back down to the core router via the same 10gb pipe, where we will connect servers with 10gb connections within the core. 3) We are migrating away from the existing wan connection on the 5050. With that said our intention is to use policy routing to route certain users onto a new layer three vlan (new default route) that would exist on that same 10gb pipe. That ntwk will be passed as layer 2 traffic thru the core router to other ISP's. So in a nutshell I need to create the server vlans with two ports each, one port for the existing 1gb srvr farm off the 5050 and another port (the 10gb port) that will be used by multiple vlans. Now when you stop laughing, is this at all possible and if it is can you point me to a step by step in creating these interfaces.
thnks in advance
walt
02-11-2016 12:56 PM
Please check the following document:
https://live.paloaltonetworks.com/t5/Documentation-Articles/Layer-2-Networking/ta-p/57040
https://live.paloaltonetworks.com/t5/Documentation-Articles/Layer-2-Networking/ta-p/57040
Hope this helps!
02-12-2016 01:23 AM
Don't think you can combine L2 and L3 on same port. For your scenario I'd say maybe try this: make 10 GB connection L2 trunk and move the IP (and other L3 settings) you had on this interface to a loopback on PA. Just a (crazy) idea tho, not sure it will work.
02-12-2016 06:30 AM
Looking at the document I don't see an answer for my requested network design or I'm just missing it. The document seems to be written for an earlier version of PA code so the screen shots don't correlate to what I see when I web in to the 5050.
Here is information on how we accomplish this layer 2 and layer 3 connections on a single port on our cores. It may help clarify what I am trying to accomplish with the 5050 and whether it can be done.
Notice port tg.2.3 is used for multiple L3 vlans (as a trunk port). Also notice that port ge.4.4 (server port) is untagged in same 749 vlan as the tagged trunk port tg.2.3.
thnks again
walt
DCCC_S4_Core1(rw)->show ip int vlan.0.749
vlan.0.749 is Operationally up, Administratively up
IP Address 172.31.149.3 Mask 255.255.255.0
DCCC_S4_Core1(rw)->show vlan stat 749
VLAN : 749 Status : Enabled
FID : 749 Name : EMPLOYEE_4215_ITSTAFF
VLAN Type: Permanent Last Change: 2015-06-19 10:41:42
Egress Ports:
tg.2.3;ge.4.2,4
Forbidden Egress Ports:
None.
Untagged Ports:
ge.4.4
DCCC_S4_Core1(rw)->show ip int vlan.0.849
vlan.0.849 is Operationally up, Administratively up
IP Address 10.200.149.3 Mask 255.255.255.0
DCCC_S4_Core1(rw)->show vlan stat 849
VLAN : 849 Status : Enabled
FID : 849 Name : STUDENT_4215_ITSTAFF
VLAN Type: Permanent Last Change: 2015-06-19 10:41:42
Egress Ports:
tg.2.3;ge.4.2
Forbidden Egress Ports:
None.
Untagged Ports:
None
03-09-2016 05:18 AM
So by lack of responses I assume this has not been/cannot be done..... A layer 3 routed interface that is presented to multiple layer 2 ports as a tagged vlan. We have two core switch/routers each with its own connection back to a single PA5050. The purpose is to allow vm servers that have two connections, one in each core switch availability to the same network depending on the server interface that is active. A single ip address is used per server.
thnks in advance
walt
03-09-2016 06:45 AM
Hello,
Would you be able to provide a simple diagram of the physical connections and intended traffic flow? This would make it easier for the rest of us to provide some feedback.
Regards,
03-09-2016 06:45 AM
ADDED the HOOK. So by lack of responses I assume this has not been/cannot be done..... A layer 3 routed interface that is presented to multiple layer 2 ports as a tagged vlan. These physical ports would carry multiple tagged layer 3 vlans. We have two core switch/routers each with its own connection back to a single PA5050. The purpose is to allow vm servers that have two connections, one in each core switch availability to the same network depending on the server interface that is active. A single ip address is used per server. These servers have multiple vlans on each connection which are application specific.
thnks in advance
walt
03-09-2016 06:49 AM
I think this is possible, but a diagram would support my theory if I am understanding you correctly.
What I ahve done in the past is make sub-interfaces all layer2 and the VLANs as layer3. This way I could send multiple vlans down the same wire and still hav routing/zone control.
I hope that makes sense.
03-09-2016 07:40 AM
Hope that helps to show what we are trying to accomplish. We want the vlan traffic examined by the PA 5050 before it reaches the servers. Right now some of the vlans are routed by the cores and now passed through the PA 5050.
thnks in advance
walt
03-09-2016 10:04 AM
Hi Walt,
I am just looking at your diagram, and I am thinking you should be able to use Layer3 trunk as the interface, and than create sub-interfaces per VLAN to control the traffic of particular vlans.
That's how I am running my lab, a bit smaller configuration in terms of devices but I am basically connecting with Layer3 untagged interface to my trunk port, and than I have L3 sub-interfaces with VLAN tags and IP addresses that are effective gateways for VLANs in virtual environment, that way I am using full bandwidth of the interface and just doing logical routing with VLANs and Virtual router inside.
Combining L2 and L3 interface configuration per interface is not possible, but there are plenty of other solutions - sixtuplet that is used to evaluate session does NOT include interface: what matters for session matching are IP addresses, ports, zone and protocol. So, as long as your packets match those six items does not really matter what interface they came in or went out through.
Another thing is that L2 does not offer the best inspection and visibility into traffic, you should always try to have L3 interfaces and inspection rather than L2 or vwire/tap inspection.
Best regards,
Luciano
03-09-2016 10:51 AM
I have used instances where I've built a single "trunk-1" port with multiple L3 tagged vlans (sub-intrfcs). But as you can see I would like to add another physical port "trunk-2" carrying the same vlans. Our core switch/routers can do this (add multiple physical interfaces to any vlan and each physical interface can carry multiple (tagged) vlans). But of course we do not get the level of inspection/allow/deny as the 5050 will provide.
thnks for the input
walt
03-10-2016 06:53 AM
Hello,
Just some other things to consider.
Aggregate interfaces on the PAN
Also you mentioned you were running on 6.1.9, you may want to think about upgrading or protecting the management interface.
https://securityadvisories.paloaltonetworks.com/
Cheers!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
