Most common design with Cisco Networking?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Most common design with Cisco Networking?

L4 Transporter

Hi Folks,

 

We currently use our PA 3020 firewalls with Layer 3 interfaces, Internet plugin directly, and doing all the routing for our network.  Learned routing from L3 interfaces and manual static route entry.  No routing protocols at all.  We have old HP switches downstream, all Layer 2 function, and HP servers beyond that.

 

We are getting ready to have Cisco UCS installed to replace everything, except our PA firewalls.

The question is coming up, "Do you want to move all of the routing into the Cisco equipment?".

 

I've been reviewing this document and seems that if we were to do that vwire would be the most common option if we were to do that?

 

https://live.paloaltonetworks.com/t5/Integration-Articles/Designing-Networks-with-Palo-Alto-Networks...

 

I'm not sure if we are ready to overhaul our network, but asking for comments from community to see if there is a best practice approach to our upcoming project?

1 accepted solution

Accepted Solutions

L4 Transporter

Reading this post I thought it was myself asking this same question almost 3 years ago. 

 

Up until recently I have had a similar Infrastrucutre (vWire) between our users and our data center to control internal traffic with security policies.  While vWire may be "supported" there are definately alot of caveats and are reasons why we are moving to L3 routed interfaces on the Palo Alto. 

 

Issues with vWire we expereinced:

  • PAN-OS 7.1.3 - 7.1.17 versions tested

  • Cisco port-channeling (PaGP, LACP) will work over vWire interfaces (if tag0 is allowed), however be prepared for asymetrical traffic to be received on the firewall.  Even though we enabled features like allowing non-syn traffic there was odd traffic behaivor an occasion random drops of sessions.

  • Active/Active vWire, along with Cisco port-channeling caused not only asymetrical traffic, but increased TCP response times on traffic.  Ever after multiple cases and debug sessions with Palo Alto we were never able to get this resolved so we moved to Active/Passive configuration.

  • Active/Passive vWire, along with Cisco port-channeling, caused issues with failover as we could never get LACP pre-negotiation features to work correctly so there was always a loss of traffic when we failed over.  Supposively this was supported in vWire, but we could not  get it to work correctly.    

As of now we are running all of our L3 traffic on PAN-5220 firewalls at the center which allows us to analyze any North-South traffic from any attached subinterface or VLAN, which is working fantasitc  Failover via to our passive firewall is working as expected with sub second delay (I lose 1 ping).

If I was you I would anylze how much inter-VLAN routing you really need to do in the UCS and decide if you want to hairpin it off of the Palo Alto or create local routing.  My opinion, based on the world as it is now, visitibilty is everything.  Just my two cents.  

 

I hope this helps.


-Matt

View solution in original post

5 REPLIES 5

L4 Transporter

Reading this post I thought it was myself asking this same question almost 3 years ago. 

 

Up until recently I have had a similar Infrastrucutre (vWire) between our users and our data center to control internal traffic with security policies.  While vWire may be "supported" there are definately alot of caveats and are reasons why we are moving to L3 routed interfaces on the Palo Alto. 

 

Issues with vWire we expereinced:

  • PAN-OS 7.1.3 - 7.1.17 versions tested

  • Cisco port-channeling (PaGP, LACP) will work over vWire interfaces (if tag0 is allowed), however be prepared for asymetrical traffic to be received on the firewall.  Even though we enabled features like allowing non-syn traffic there was odd traffic behaivor an occasion random drops of sessions.

  • Active/Active vWire, along with Cisco port-channeling caused not only asymetrical traffic, but increased TCP response times on traffic.  Ever after multiple cases and debug sessions with Palo Alto we were never able to get this resolved so we moved to Active/Passive configuration.

  • Active/Passive vWire, along with Cisco port-channeling, caused issues with failover as we could never get LACP pre-negotiation features to work correctly so there was always a loss of traffic when we failed over.  Supposively this was supported in vWire, but we could not  get it to work correctly.    

As of now we are running all of our L3 traffic on PAN-5220 firewalls at the center which allows us to analyze any North-South traffic from any attached subinterface or VLAN, which is working fantasitc  Failover via to our passive firewall is working as expected with sub second delay (I lose 1 ping).

If I was you I would anylze how much inter-VLAN routing you really need to do in the UCS and decide if you want to hairpin it off of the Palo Alto or create local routing.  My opinion, based on the world as it is now, visitibilty is everything.  Just my two cents.  

 

I hope this helps.


-Matt

Hello,

I agree with @mlinsemier, visibility is everything. I've heard and used to hear a lot that the firewall should not the center of your network. However with the zero trust model's, this is no longer true(ish). As long as the PAN has the capacity to handle the traffic, then yes it can be the center of your network and you'll have tons of visibility. 

 

Hope that helps.

We are trying to get away from the switches doing the routing and put the palo as the core router for the LAN. (not something I would have done 3-4 years ago)

 

With that in place we will be able to control intra-zone traffic and segregate the lan thus improving security and reducing the ability of an attack to propergate.

 

Rob

 

 

@RobinClayton

I agree with you 100% with what you are thinking down to the fact that I too would have never thought about doing it this way 3-4 years ago. 

 

We are utilizing the Palo Alto in this L3 capacity in our data centers as well as doing routing on a stick in our remote offices on PA-220s (as there isn't a bunch of north-south traffic between VLANs) and it has certainly improved not only our security posture but our visibility as well.  We're able to lock down all north-south traffic where necessary.

 

I will point out that we are not doing any dynamic routing at the core (yet) but will be looking at OSPF here shortly for a few route exchanges with other appliances.  I have heard that BGP can be a little fussy and has had some bugs that has caused it to not be as reliable as OSPF, but that's hearsay from a few peers and engineers.

 

- Matt

Thank you folks for all this feedback.  Very helpful.

This makes me lean more toward minimal changes to our firewall networking when we install UCS.

 

Maybe we enable OSPF between our firewalls to communicate routes, but I am not sure even that is necessary since we are so small and just don't have a bunch of routes to manage.  

  • 1 accepted solution
  • 4523 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!