This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Moving some connections to the New PA

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Moving some connections to the New PA

Go to solution
MP18
Cyber Elite
Cyber Elite

‎03-21-2019 06:05 PM

 

We have this setup for one site 

 

------Dis sw--------------Edge switch stack of 3 ----------40 users 

 

we need to move few users behind the PA  .

 

what can be best design for this as we only need to have 5 to 10 users behind the PA  850.?

 

Should we connect small switch to the existing stack of switch ?

 

 

 

 

 

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
2 accepted solutions

Accepted Solutions

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to MP18

‎03-22-2019 01:44 PM

@MP18,

If you only have a single connection to use on the PA you would be looking at doing a network TAP, which has limited capabilities, so I would really recommend the vwire setup if you want to do that. 

View solution in original post

Go to solution
MP18
Cyber Elite
Cyber Elite
In response to BorisJones

‎03-24-2019 10:22 AM - edited ‎03-24-2019 10:26 AM

Seems best way to do is 

 

create vwire for both uplink connections.

 

here we will have 2 pair of vwires- Vwire INT and Vwire EXT

Two Zones trust and untrust

PA will pass all the LAG traffic  to dis switch from both zone trust zones.

 

As PA is passing traffic from both source interfaces of trust Zone and allowing return traffic from 2 dis switches we need to enable the option where PA allows asymm traffic

 

set deviceconfig setting tcp asymmetric-path bypass
# set deviceconfig setting session tcp-reject-non-syn no

 

MP

Help the community: Like helpful comments and mark solutions.

View solution in original post

(1)
15 REPLIES 15

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎03-21-2019 07:30 PM

Hello,

How about a vlan and/or a subnet that routes via the PAN?

 

I'm sure there are many different options. I would also love to hear what the community has to say.

 

Regards,

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to OtakarKlier

‎03-22-2019 11:52 AM

@MP18 ,

A dedicated VLAN that routes through the PA would be what I would do, as it doesn't require any additional hardware and should be easy to maintain and update. It also doesn't require that you have someone on-site to migrate connections over to the new switch, you simply update the port configuration and assign it to the new VLAN. 

0 Likes Likes

Go to solution
MP18
Cyber Elite
Cyber Elite
In response to BPry

‎03-22-2019 12:23 PM

can we put this PA in vwire mode between the switches?

 

curently edge switch has 2 upliks that go to dis switch.

 

for the vwire to work it work in pairs

can i work with single connection for send and receive traffic?

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to MP18

‎03-22-2019 01:33 PM

Hello,

Can you provide a basic diagram? Somthing like:

 

switch-->router-->PAN

 

Please advise,

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to MP18

‎03-22-2019 01:44 PM

@MP18,

If you only have a single connection to use on the PA you would be looking at doing a network TAP, which has limited capabilities, so I would really recommend the vwire setup if you want to do that. 

Go to solution
MP18
Cyber Elite
Cyber Elite
In response to BPry

‎03-22-2019 02:04 PM

But for Vwire I will need to set of cables right  but in current setup it is not possible right?

 

 

here is diagram attached

 

 

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
MP18
Cyber Elite
Cyber Elite
In response to OtakarKlier

‎03-22-2019 02:06 PM

how can i add visio or pdf diagram ?

 

system does not allow me

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
MP18
Cyber Elite
Cyber Elite
In response to OtakarKlier

‎03-22-2019 02:10 PM

scrren shot of diagram

 

Capture.PNG

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to MP18

‎03-22-2019 03:01 PM

Hello,

Where is the PAN located in the diagram or is that your question?

 

Please advies,

0 Likes Likes

Go to solution
MP18
Cyber Elite
Cyber Elite
In response to OtakarKlier

‎03-23-2019 07:59 AM

PAN will come between the edge switches and Dis switch.

 

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
MP18
Cyber Elite
Cyber Elite
In response to BPry

‎03-23-2019 09:12 AM

I have attached the diagram.

 

PA will be in between edge and dis switch.

 

Currenly edge switch only has 1 layer 3 interface which is for sw management access.

 

config on switch 

 

ip static-route 0.0.0.0/0 gateway 10.10.230.50-------------------------management network

10.10.230.x has vlan interface 3100

 

Edge switch has trunk interface  with link agg to dis switch  carrying below vlans

 

show 802.1q 1

Tagged VLANS Internal Description
-------------+------------------------------------------+
851 Raw 192.168.200.0
3100 mgmt-subnet 10.10.230.0
3203 corp-data-subnet 10.63.24.0
3303 voice-subnet 10.63.26.0
3403 corp-video-subnet 10.63.25.0

 

 

what config i will need on PA to allow traffic from edge switch to dis switch carrying trunk port with lacp?

 

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
BorisJones
L1 Bithead

‎03-24-2019 01:08 AM

I have same problems. Who can help me?

0 Likes Likes

Go to solution
MP18
Cyber Elite
Cyber Elite
In response to BorisJones

‎03-24-2019 10:22 AM - edited ‎03-24-2019 10:26 AM

Seems best way to do is 

 

create vwire for both uplink connections.

 

here we will have 2 pair of vwires- Vwire INT and Vwire EXT

Two Zones trust and untrust

PA will pass all the LAG traffic  to dis switch from both zone trust zones.

 

As PA is passing traffic from both source interfaces of trust Zone and allowing return traffic from 2 dis switches we need to enable the option where PA allows asymm traffic

 

set deviceconfig setting tcp asymmetric-path bypass
# set deviceconfig setting session tcp-reject-non-syn no

 

MP

Help the community: Like helpful comments and mark solutions.
(1)

Go to solution
MP18
Cyber Elite
Cyber Elite
In response to BPry

‎04-06-2019 02:45 PM

did the vwire setup and it worked great.

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 2 accepted solutions
  • 4730 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks