Before, I get to the matter, I have browsed through the discussions and did find solutions. But I am unable to understand a few concepts.
I have a scenario where;
1. The present firewall is a virtual firewall hosted on an ESXi Server.
2. Links are from Core to the ESXi Server.
3. Two ports used on the ESXi Server are trunked ports.
4. The Palo Alto will have to be placed in-line between the Core and the ESXi Server.
I have 4 interfaces configured for VWire (2 for trust and 2 for untrust). Now, since the two ethernet cables are trunked, how can I get the Palo Alto to send traffic through. After reading a few documents on the portal, I understand that we can use "Tag" in the VWire profile.
This is where I am confused between tag / untagged and trunk ports.
What and how should I have to configure for PA to allow traffic to go through the ESXi server? Apologies, I know this is a very stupid question. Always learning though.
Any suggestions will be helpful.
To allow specific VLAN tags, add that tag number under 'allowed tags' field in Vwire. For a trunk to be passed through, allow all tags '0-4094'. [Network>Virtual Wires>Click on desired Vwire> Tag Allowed>Type in 0-4094 to allow trunked traffic.
So if I understand, by trunked ports, you are talking about link aggregation right? So if ae1 faces the core and ae2 face the esx host, configure 2 ethernet interfaces per aggregate interface. Maybe like this?
set network interface ethernet ethernet1/4 aggregate-group ae1
set network interface ethernet ethernet1/4 link-speed auto
set network interface ethernet ethernet1/4 link-duplex auto
set network interface ethernet ethernet1/4 link-state auto
set network interface ethernet ethernet1/5 aggregate-group ae1
set network interface ethernet ethernet1/5 link-speed auto
set network interface ethernet ethernet1/5 link-duplex auto
set network interface ethernet ethernet1/5 link-state auto
set network interface ethernet ethernet1/6 aggregate-group ae2
set network interface ethernet ethernet1/6 link-speed auto
set network interface ethernet ethernet1/6 link-duplex auto
set network interface ethernet ethernet1/6 link-state auto
set network interface ethernet ethernet1/7 aggregate-group ae2
set network interface ethernet ethernet1/7 link-speed auto
set network interface ethernet ethernet1/7 link-duplex auto
set network interface ethernet ethernet1/7 link-state auto
Then set up the ae interfaces:
set network interface aggregate-ethernet ae1 comment in
set network interface aggregate-ethernet ae1 virtual-wire
set network interface aggregate-ethernet ae2 comment out
set network interface aggregate-ethernet ae2 virtual-wire
Zones... however makes sense.
set zone trust network virtual-wire ae1
set zone untrust network virtual-wire ae2
Then set what vlans you want to carry on the virtual wire:
set network virtual-wire vw-esx multicast-firewalling enable no
set network virtual-wire vw-esx link-state-pass-through enable yes
set network virtual-wire vw-esx tag-allowed 10,20,30
set network virtual-wire vw-esx interface1 ae1
set network virtual-wire vw-esx interface2 ae2
At least according to the release notes for 5.0.0 (regarding new networking features):
Link Aggregation – The PA-500 and PA-2000 Series devices now support link aggregation. Note that link aggregation on virtual wire interfaces is not supported on the PA-2000 Series due to a hardware limitation. By assigning common ingress and common egress zones, two or more virtual wires may still be used on the PA-2000 Series in environments where adjacent devices are performing link aggregation.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!