PA-3020 L2/VW Config Help

Reply
Highlighted
L1 Bithead

PA-3020 L2/VW Config Help

Hello,

 

I just recently purchased a pair of PA-3020’s and I am having some trouble with Layer 2 / Virtual Wire interfaces. I am trying to create a network with multiple segments for both servers and workstations. I will have several “standard” segments using layer 3 interfaces and virtual routers with private addressing and NAT but I also wanted to create an “Edge” network behind the firewall for our publically addressable servers. This edge network would ideally allow devices plugged into it to use the same public IP space that the external layer 3 interfaces on the firewall use. Other devices not behind the firewall would also be able to use this IP space.

 

Here is a hasty Visio drawing of what I am trying to accomplish. The top drawing shows the logical network and the bottom drawing roughly shows how the wires are physically connected.

 

EM-NewNetwork-SanitizedOverview.jpg

I am very new with Palo Alto firewalls and so I am looking for some help. First, is something like this even possible? With a virtual wire or a layer 2 interface it seems like it should be very possible but when I have tried those it has led to serious problems. With both configurations I would see a momentary drop in all network traffic on the public IP space, even for other devices, for about 10 seconds and then things would start working again however the firewall would start to see all kinds of traffic that is not destined to it or anything plugged into it but instead is destined for a different device on the public network.

 

The drop in network traffic affecting devices external to the Palo Alto makes me think that some kind of loop is being created which causes the network to fail until Spanning Tree kicks in and fixes it, but I am not sure about that. Everything runs through a single switch stack using different untagged access VLANs (see drawing) so it should not be creating a loop. I will eventually use HA on the PA-3020s but at the moment are just working with one so should be no loop there either.

 

Anyone have any ideas?

 

Thanks you.


Accepted Solutions
Highlighted
L1 Bithead

This was resolved by disabling Spanning Tree on the switch ports that the firewall's layer 2 interfaces plug into. This stopped the BPDU packets and so did not cause any port blocking and packet loss when the layer 2 interfaces were configured on the firewall. I can only assume at this point but it would seem that this was a problem because I was plugging bother layer 2 interfaces into the same switch and the default configuration of Spanning Tree does not account for VLANs. Even though it is working the firewall will still see some traffic that is not intended for it but this only happens sporadically and does not appear to be causing any problems; I just setup a policy to silently drop intrazone traffic on the untrusted layer 2 zone.

 

I am curious though at the lack of responses to this thread, is this an uncommon interface deployment scenario? Am I doing this all wrong? What I wanted was what would have been called 'pass-through' on the Cisco ASA platform where the devices (servers) behind the firewall are using public IPs directly without any NAT. From what I have learned so far with the Palo Altos is that this is achieved using Layer 2 or Virtual Wire interfaces.

 

As I was writing the above paragraph it actually came to me, this is just a simple routing setup. The reason I didn't think of this before, or perhaps I did and discarded it, is because my current public IP space is shared with many other groups and there are no clean routes that I can define just for my network meaning I would have to define several ranges and in some cases individual IPs as static routes. I also have no control over the router in the public IP space and would not be able to add routes to it meaning I would have to create NAT rules so that the firewall would use proxy ARP for those IPs. It would get very messy very quick. Working on fixing the public IP space but that is a big project as all my public IPs will change which is annoying.

 

If anyone has any suggestions.... :)

 

Thanks

View solution in original post

Tags (1)

All Replies
Highlighted
L5 Sessionator

Hmm, strange design.

Ok, you have one network segment of public IPs (1.1.1.0/24)

Why is PA connected to that network over 2 interfaces? For redundany make AE (etherchannel) interface with single IP. If you need more IPs on PA in that segment you can put them on single Layer2 interface (let's say 1.1.1.2/24 and 1.1.1.3/32 can easily be on same L3 interface on PA)

Why is VLAN ID for 1.1.1.0/24 once 100 and once 400?

 

 

Highlighted
L5 Sessionator

Ahh you have 2 seperate vsys and each vsys has 1 WAN and 1 LAN interface I guess? That's why 2 interfaces in 1.1.1.0/24?

 

Basicaly you can think of pair of virtual-wire interfaces as a wire; no IP address, no MAC address, what comes in on one interface goes out on other and vice versa.

 

 

 

 

Highlighted
L1 Bithead

Correct on the vsys. I put those in the drawing just to show that they are there, I don't think they contribute to the issue I am having. Vsys1 has two interfaces into 1.1.1.0/24 (one for Layer 3 and one for the Layer 2/VW I am trying to do) and the other vsys has one layer 3 interface. 1.1.1.0/24 is in both VLAN 100 and 400 because VLAN 100 is in front of the firewall and VLAN 400 is behind the firewall but both VLANs use the same IP space.

 

That is what I thought as well with the virtual wire. However, when I tried to use that as soon as I hit commit on the PA all traffic in VLAN 100 stopped included traffic to other devices (including that second generic firewall with the IP 1.1.1.1) for about 10 seconds. After that brief outage things started working again but then the PA was seeing all kinds of traffic including traffic that should have been going to the second firewall.

 

I then tried the same configuration with a Layer 2 interface and got the same results.

Highlighted
L1 Bithead

From what I have found so far this is more the switch than anything. Since the firewall plugs into the same switch on both ends of the layer 2 network it sees its own BPDU packets and so puts the ports into blocking mode while it recalculates the tree. However, this does not explain the other firewall losing its connectivity. I will likely rethink this design or look into enabling PVST on the switch so that Spanning Tree is calculated per VLAN. 

Highlighted
L1 Bithead

This was resolved by disabling Spanning Tree on the switch ports that the firewall's layer 2 interfaces plug into. This stopped the BPDU packets and so did not cause any port blocking and packet loss when the layer 2 interfaces were configured on the firewall. I can only assume at this point but it would seem that this was a problem because I was plugging bother layer 2 interfaces into the same switch and the default configuration of Spanning Tree does not account for VLANs. Even though it is working the firewall will still see some traffic that is not intended for it but this only happens sporadically and does not appear to be causing any problems; I just setup a policy to silently drop intrazone traffic on the untrusted layer 2 zone.

 

I am curious though at the lack of responses to this thread, is this an uncommon interface deployment scenario? Am I doing this all wrong? What I wanted was what would have been called 'pass-through' on the Cisco ASA platform where the devices (servers) behind the firewall are using public IPs directly without any NAT. From what I have learned so far with the Palo Altos is that this is achieved using Layer 2 or Virtual Wire interfaces.

 

As I was writing the above paragraph it actually came to me, this is just a simple routing setup. The reason I didn't think of this before, or perhaps I did and discarded it, is because my current public IP space is shared with many other groups and there are no clean routes that I can define just for my network meaning I would have to define several ranges and in some cases individual IPs as static routes. I also have no control over the router in the public IP space and would not be able to add routes to it meaning I would have to create NAT rules so that the firewall would use proxy ARP for those IPs. It would get very messy very quick. Working on fixing the public IP space but that is a big project as all my public IPs will change which is annoying.

 

If anyone has any suggestions.... :)

 

Thanks

View solution in original post

Tags (1)
Highlighted
L7 Applicator

Assuming you're running PAN-OS 7.0.x (or 6.x), there was a new feature introduced in 7.1 to enhance your firewall's compatibility with PVST+ when doing vlan tag re-write:

 - https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/networking-features/per-vl...

 

I'm not necessarily recommending upgrading to 7.1 just yet, but something to look foward to.  

Highlighted
L1 Bithead

Thanks! I do currently have the firewalls on 7.1 but do not currently use PVST (I also use Dell switches but they support PVST). However, it is great to know this is available and that page you linked to has some great information. Thanks again.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!