Is topology like this possible?

Reply
Highlighted
L1 Bithead

Is topology like this possible?

 

 

Hello!

I have an idea for my test lab, in conditions without physical switch and with very limited number of ports. I need my server behind firewall to receive IP from ISP DHCP and also I need my firewall to have an outside L3 interface also receiving IP from that DHCP, and use it to NAT all devices from port 2. It would all be easy with many ports and a switch, is there solutions without them? Topology is just for reference, where yellow switch is hypothetical virtual switch inside firewall, I don't know which way is the right way is to do this. (blue devices in topology are not under my control)

 

Multiport hypothesis.png

 


Accepted Solutions
Highlighted
L1 Bithead

I think I found the solution: ports 1 and 1 - L2 together, port 2 attached virtual router also to be attached as VLAN interface with DHCP client. Not sure if it works, going to test later. Just posting if somebody interested. 

 

Just tested it and it works great with port 1 and 2 as L2 interfaces and L3 inteface vlan attached to same bridge. 

View solution in original post


All Replies
Highlighted
Cyber Elite

@Netstaff,

The feature that you are looking for is called DHCP-Relay.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFXCA0

Highlighted
L1 Bithead

Hello. Getting an address is just half the story. All devices need to have the ability to communicate with each other. I don't exactly understand, how will it be. And I can't test it until Friday...  So sorry, this is absolutely hypothetical situation, this is not useful at all, and if you don't want to have some fun, don't waste your time. 

So let's imagine a situation:

1. all addresses are /24

2. Port 1 is layer 3 port gets 192.168.0.2 from DHCP

3. The server gets 192.168.0.3 from DHCP relay

Now the server needs to communicate with ISP, but it's only connected to port 3

4. Port 3 also needs to be in the same subnet with the server, so... it gets IP from DHCP relay and gets address 192.168.0.4 

At this point wouldn't virtual router detect that 192.168.0.0/24 network is accessible from 2 different interfaces and start to panic? 

Highlighted
Cyber Elite

@Netstaff,

You didn't say that you wanted the solution completely built out for you, so I didn't. The answer to your original question is absolutely, you would achieve this by doing the following.

  1. Leave ethernet1/1 as you already have it configured.
  2. Configure ethernet1/3 as a layer3 interface, create a new zone for your server, and setup DHCP-Relay so that the servers DHCP requests are relayed to the ISP.
  3. You'll need to create a DHCP reservation for your Server or be constantly updating the following if the server refreshes it's IP address.
  4. On your route table you simply need to define a route to your server, hypothetically lets call it 192.168.0.4/32, so that a more defined route is installed. Traffic, like any routing table, will take the more defined route.
  5. Configure the proper security rulebase entries so that traffic is allowed/denied as required. 

 

- You don't necessarily need to configure ethernet1/3 as layer3, but since ethernet1/2 is layer3 already it helps keep a unified configuration.

 

 

 

Highlighted
L1 Bithead

"or be constantly updating the following"

 

By using which method?

Highlighted
Cyber Elite

@Netstaff,

Any method you use to configure the firewall (API, CLI, or GUI). You can't use an FQDN in your static-routes so the firewall isn't able to do this for you. I would personally recommend the reservation; if you can't do that you'll probably want to create a script on the server that monitors what IP address it currently has, and when it changes you can use the API to update the route statement that you created to the new IP address and commit the change. 

Highlighted
L1 Bithead

Manually? With Script? I'm sorry I did not give an accurate description of the problem. I knew that there are a thousand unnecessary difficult ways to do it, I would have preferred to ask if there is elegant technology especially for this. Like if Palo Alto could connect it's virtual routers to the virtual switch with virtual interfaces and monitored interface traffic. 

Highlighted
Cyber Elite

@Netstaff,

Ideally you would monitor the IP on the server, updating it when necessary, with a script running directly on that server instead of doing it manually. 

 

"Like if Palo Alto could connect it's virtual routers to the virtual switch with virtual interfaces and monitored interface traffic."

The firewall is capable of providing routed interfaces, that's it. The firewall was never designed to act like a switch.

Highlighted
L1 Bithead

I think I found the solution: ports 1 and 1 - L2 together, port 2 attached virtual router also to be attached as VLAN interface with DHCP client. Not sure if it works, going to test later. Just posting if somebody interested. 

 

Just tested it and it works great with port 1 and 2 as L2 interfaces and L3 inteface vlan attached to same bridge. 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!