PA-VM on ESXi - L2 Topology Design Questions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA-VM on ESXi - L2 Topology Design Questions

L1 Bithead

I'm looking to deploy a pair of PA-VM 200s running 7.x on a vSphere 5.5 cluster and would like a sanity check on the design.

My client's network currently has one large VLAN that houses most of their servers.  For the sake of this example, we'll say it's VLAN 8.  There are servers on this network with varying degrees of importance, but among them are things like domain controllers and file servers.  To increase security, we're looking to deploy an active/passive HA pair of PA-VM 200s running 7.x (for the real HA capabilities) in L2 mode so that we can move some of the more important VMs behind them and not have to renumber.  I'm assuming that the ethernet1/2 interfaces will also need to be assigned to VLAN 8 on the PA-VMs so that it knows to bridge the traffic.


- Does the protected port group on the vSphere DSwitch have to be VLAN ID 8 as well, or can I just leave it as VLAN type "None"?

- Is there anything extra I need to do to ensure that the HA pair will never accidentally create a loop between the two segments of the same network?

- Are there any other considerations I need to know about in a deployment like this?

PA-VM Topology.png

Thanks!

1 REPLY 1

L7 Applicator

- Does the protected port group on the vSphere DSwitch have to be VLAN ID 8 as well, or can I just leave it as VLAN type "None"?

Both sides will be none in your case.  You only need to set tags if you have a Q tag port.  In your design these are access ports so none is all you need to do.


- Is there anything extra I need to do to ensure that the HA pair will never accidentally create a loop between the two segments of the same network?

No, the passive device keeps the traffic interfaces up but never passing traffic.  The PA will not participate in STP at all so all you need to do is make sure the switching system never puts the active device into a blocking port.

- Are there any other considerations I need to know about in a deployment like this?

I have not used the VMs for HA but I assume you still need the HA ports connected to communicate state tables and the like.  I don't see that in your setup here.

your may find the example for layer 2 HA in the Design guide helpful starting on page 80

Designing Networks with Palo Alto Networks Firewalls

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 2499 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!