Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PA in VWire mode between trunked ports

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA in VWire mode between trunked ports

L4 Transporter

Greetings,

Before, I get to the matter, I have browsed through the discussions and did find solutions.  But I am unable to understand a few concepts. 

I have a scenario where;

1. The present firewall is a virtual firewall hosted on an ESXi Server.

2. Links are from Core to the ESXi Server.

3. Two ports used on the ESXi Server are trunked ports.

4. The Palo Alto will have to be placed in-line between the Core and the ESXi Server.

I have 4 interfaces configured for VWire (2 for trust and 2 for untrust).  Now, since the two ethernet cables are trunked, how can I get the Palo Alto to send traffic through.  After reading a few documents on the portal, I understand that we can use "Tag" in the VWire profile. 

This is where I am confused between tag / untagged and trunk ports.

What and how should I have to configure for PA to allow traffic to go through the ESXi server? Apologies, I know this is a very stupid question.  Always learning though.

Any suggestions will be helpful.

Many Thanks

Kalyan

1 accepted solution

Accepted Solutions

It completely slipped out my mind.  I am using a PA-500 and link aggregation is not supported on the PA-500 Smiley Happy unless I upgrade to version 5.0.  My BAD...!!!

Am I correct in thinking that Link aggregation is supported on the PA-500 in version 5.0..??

View solution in original post

7 REPLIES 7

L5 Sessionator

To allow specific VLAN tags, add that tag number under 'allowed tags' field in Vwire. For a trunk to be passed through, allow all tags '0-4094'. [Network>Virtual Wires>Click on desired Vwire> Tag Allowed>Type in 0-4094 to allow trunked traffic.


Ref:https://live.paloaltonetworks.com/docs/DOC-2729


-Ameya

L3 Networker

So if I understand, by trunked ports, you are talking about link aggregation right?  So if ae1 faces the core and ae2 face the esx host, configure 2 ethernet interfaces per aggregate interface.  Maybe like this?

set network interface ethernet ethernet1/4 aggregate-group ae1

set network interface ethernet ethernet1/4 link-speed auto

set network interface ethernet ethernet1/4 link-duplex auto

set network interface ethernet ethernet1/4 link-state auto

set network interface ethernet ethernet1/5 aggregate-group ae1

set network interface ethernet ethernet1/5 link-speed auto

set network interface ethernet ethernet1/5 link-duplex auto

set network interface ethernet ethernet1/5 link-state auto

set network interface ethernet ethernet1/6 aggregate-group ae2

set network interface ethernet ethernet1/6 link-speed auto

set network interface ethernet ethernet1/6 link-duplex auto

set network interface ethernet ethernet1/6 link-state auto

set network interface ethernet ethernet1/7 aggregate-group ae2

set network interface ethernet ethernet1/7 link-speed auto

set network interface ethernet ethernet1/7 link-duplex auto

set network interface ethernet ethernet1/7 link-state auto

Then set up the ae interfaces:

set network interface aggregate-ethernet ae1 comment in

set network interface aggregate-ethernet ae1 virtual-wire

set network interface aggregate-ethernet ae2 comment out

set network interface aggregate-ethernet ae2 virtual-wire

Zones... however makes sense.

set zone trust network virtual-wire ae1

set zone untrust network virtual-wire ae2

Then set what vlans you want to carry on the virtual wire:

set network virtual-wire vw-esx multicast-firewalling enable no

set network virtual-wire vw-esx link-state-pass-through enable yes

set network virtual-wire vw-esx tag-allowed 10,20,30

set network virtual-wire vw-esx interface1 ae1

set network virtual-wire vw-esx interface2 ae2

Good luck,

Mike

Ameya - This does not help mate.. since it is link aggregration.

Mike - I will be testing your suggestion shortly.  Hopefully it works.

Cheers..

K

It completely slipped out my mind.  I am using a PA-500 and link aggregation is not supported on the PA-500 Smiley Happy unless I upgrade to version 5.0.  My BAD...!!!

Am I correct in thinking that Link aggregation is supported on the PA-500 in version 5.0..??

At least according to the release notes for 5.0.0 (regarding new networking features):

"

Link Aggregation – The PA-500 and PA-2000 Series devices now support link aggregation. Note that link aggregation on virtual wire interfaces is not supported on the PA-2000 Series due to a hardware limitation. By assigning common ingress and common egress zones, two or more virtual wires may still be used on the PA-2000 Series in environments where adjacent devices are performing link aggregation.

"

L4 Transporter

True.. I read it as well.  But was unsure on should I proceed in doing this or not by upgrading to v5 as the palo alto will be sitting in-line in virtual wire mode.

How about this one:

Cisco Link Aggregation Traffic Through a PAN Device

Make sure you configure exactly same zone in two vwires.

  • 1 accepted solution
  • 5817 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!