PA-220 with multiple switch connections with same vlan

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA-220 with multiple switch connections with same vlan

L1 Bithead

Hello,

 

I have a setup like this to provide some redundancy to a PA-220 firewall but have some questions about how to best configure.

LYTOT_0-1736994719525.png

What I have tried doing is setting PA-220 Port 1 and 2 to be Layer 2 with a common VLAN vlan.200 with the IP as shown.  This has worked fine.

 

Port 1 is connected to a Cisco 9200 configured as an access port for vlan 200, Port 2 is connected to a HP Aruba 6300M as an access port for vlan 200.

 

Plugging this in with all ports enabled works perfectly fine and connectivity to 192.168.1.10 is available but of course STP blocks a port because of a detected loop which was not unexpected.  In this case the Aruba has detected the loop and then blocked and disabled its port.

 

Disabling the port on the Cisco manually of course cuts off the PA-220 but the Aruba will not resume communication without a manual re-enabling  the port.

 

Whilst this works, I've currently shut the port on the 9200 so that it effectively has only 1 communication path and in the event of a failure with the link from or the Aruba switch someone would have to manually enable the port on the 9200 which isn't ideal.

 

Is it possible to do this better with the PA-220 with the existing hardware?  Any suggestions?

 

Appreciate any feedback.

 

Regards,

 

T.

 

3 REPLIES 3

Cyber Elite
Cyber Elite

@LYT-OT,

You can't utilize HSRP since you have a mixed Cisco/Aruba environment but the 9200 should support VRRP to accomplish the same shared virtual IP. I would personally stop doing layer2 interfaces on your firewall and convert them all to layer3, setup VRRP and ensure it's working so that you can have a shared gateway for routes, and be done with it.

@BPry, Thank you for your reply, much appreciated.

 

Taking this onboard I deleted the two Layer 2 interfaces and tried setting them up as Layer 3 but could not work out how to make them function together with the vlan and virtual router(s).  I tried all sorts of things but just couldn't work it out.

 

What I have done though is got a single Layer 3 port setup connecting to the Aruba as a trunk port   Then this port has a sub-interface for the vlan with the required ip and a virtual router using this sub-interface as its default route.

 

This works great, but again only the single port. 

 

I know at the end of the day it is only a single PA-220 and this might be overkill but it would be nice to be able to do this if we can?    

 

If you could elaborate a little more how you would expand this to using 2 ports to the two switches that would be helpful and appreciated.

 

Regards,

 

T.

 

Cyber Elite
Cyber Elite

@LYT-OT,

Did you setup VRRP across the Cisco and Aruba devices and ensure that election for the virtual IP is working appropriately? This is going to be pretty vital to making sure that the routing can function appropriately and failover between devices. Skipping this step essentially means you'll be back to where you started.

 

What I have done though is got a single Layer 3 port setup connecting to the Aruba as a trunk port Then this port has a sub-interface for the vlan with the required ip and a virtual router using this sub-interface as its default route.

The way you have things diagrammed above, you don't need to complicate things if you're using the interface to pass a single VLAN to the PA-220. On the interfaces feeding the PA-220 there's no reason to not just have them as access ports when you make the layer3 switch looking at what you have provided. Even if you were using a trunk on the switch side to feed across multiple VLANs over a single port, you just want a tagged subinterface for each VLAN.

 

Layer 3 but could not work out how to make them function together with the vlan and virtual router(s).

Do you have multiple VRs?

 

 

The gist of this setup is that you need to have VRRP working across the switches to create the shared gateway IP so that failover doesn't need any sort of route update. Once you have that shared virtual IP to utilize as a gateway, you would setup a route on the PA-220 to direct the traffic to the virtual IP. That way your PA-220 knows where to send the traffic and your switches would have the default gateway for VLAN 200 setup as 192.168.1.10 as described in the diagram that you listed above.

On the interface side of things you'd setup an aggregate layer3 interface using that 192.168.1.10 address and place both interfaces connected to the Cisco and Aruba switches as members of the aggregate. You would generally want to setup LACP, but in your situation that isn't available because you're mixing vendors. That's "fine" since the setup is basic and the port going down if the switch is offline will still stop the PA-220 from using it for traffic.

On the switch (Aruba/Cisco) interface configuration you can either keep this as a trunk or simplify things and just have it setup as an access interface to feed the aggregate. There's no pressing reason to utilize one or the other in this simple of a configuration; the benefit of using a trunk would be that you could easily add additional VLANs going forward without any significant changes, but an access interface when you're only feeding a single VLAN works just as well. You don't use an actual VLAN interface on the PA-220 side of things; if it's an access port you simply configure the layer3 interface and allocate the IP you want directly, and if you utilize a trunk you would create a subinterface under the layer3 interface.

 

 

 

 

 

To possibly help explain things a bit better; if you utilize an access interface on the switch side of things, you would essentially have an aggregate interface that looks like this:

Screenshot 2025-01-19 222040.png
Note that you aren't using any sort of VLAN interface, a tagged subinterface, or anything of the sort.

 

On the other hand if you're using a trunk interface because you want to move across multiple VLANs on a single aggregate, then it would look something like this:
Screenshot 2025-01-19 222446.png
Note that you still aren't using any sort of VLAN interface on the PA-220. You're simply creating subinterfaces under the aggregate group that are tagged to match the VLAN you are trunking across. The "benefit" of this configuration if you're only using a single VLAN on the PA-220 like in your example is that there's less work needed if your needs change going forward. Say you had another VLAN that you needed on the PA-220, you would simply update the trunks on your switches and then add another subinterface to account for things on the PA-220.

  • 463 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!