This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PA-VM on ESXi - L2 Topology Design Questions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA-VM on ESXi - L2 Topology Design Questions

bkeifer
L1 Bithead

‎07-13-2015 12:04 PM

I'm looking to deploy a pair of PA-VM 200s running 7.x on a vSphere 5.5 cluster and would like a sanity check on the design.

My client's network currently has one large VLAN that houses most of their servers.  For the sake of this example, we'll say it's VLAN 8.  There are servers on this network with varying degrees of importance, but among them are things like domain controllers and file servers.  To increase security, we're looking to deploy an active/passive HA pair of PA-VM 200s running 7.x (for the real HA capabilities) in L2 mode so that we can move some of the more important VMs behind them and not have to renumber.  I'm assuming that the ethernet1/2 interfaces will also need to be assigned to VLAN 8 on the PA-VMs so that it knows to bridge the traffic.


- Does the protected port group on the vSphere DSwitch have to be VLAN ID 8 as well, or can I just leave it as VLAN type "None"?

- Is there anything extra I need to do to ensure that the HA pair will never accidentally create a loop between the two segments of the same network?

- Are there any other considerations I need to know about in a deployment like this?

PA-VM Topology.png

Thanks!

Labels:
0 Likes Likes
1 REPLY 1

pulukas
L7 Applicator

‎07-14-2015 05:10 AM

- Does the protected port group on the vSphere DSwitch have to be VLAN ID 8 as well, or can I just leave it as VLAN type "None"?

Both sides will be none in your case.  You only need to set tags if you have a Q tag port.  In your design these are access ports so none is all you need to do.


- Is there anything extra I need to do to ensure that the HA pair will never accidentally create a loop between the two segments of the same network?

No, the passive device keeps the traffic interfaces up but never passing traffic.  The PA will not participate in STP at all so all you need to do is make sure the switching system never puts the active device into a blocking port.

- Are there any other considerations I need to know about in a deployment like this?

I have not used the VMs for HA but I assume you still need the HA ports connected to communicate state tables and the like.  I don't see that in your setup here.

your may find the example for layer 2 HA in the Design guide helpful starting on page 80

Designing Networks with Palo Alto Networks Firewalls

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes
  • 2231 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks