Proper Cisco Network Configuration With Palo Alto's?

Announcements
Attention: The LIVEcommunity is experiencing an interruption with videos in some areas. We apologize for any inconvenience this may cause. Thank you for your patience as we work towards a solution to restore videos.
Reply
Highlighted
Not applicable

Proper Cisco Network Configuration With Palo Alto's?

pa.png
Please forgive my ignorance, when it comes to Palo Alto's.  This is the first time I've dealt with them.  We have a need to secure a localized VLAN behind the Palo Alto's.  I'm including a diagram to show a simulation of what we're looking to do.  We have default VLAN1 which is our default data VLAN.  We have VLAN 19 which is the VLAN we want to secure.  The VLAN1 SVI IP is 10.1.1.1, and the VLAN19 SVI IP is 10.1.2.1.  On the Palo Alto's, we have one interface IP'd as 10.1.1.2 for the default data VLAN, and 10.1.2.2 for the secured VLAN.  There is also an HA pair with IP addresses 10.1.1.3 and 10.1.2.3 respectively.  We have EIGRP that advertises the default VLAN1 network.  Here's what we're looking to do.  Anything from the 10.1.1.x network, going to the 10.1.2.x network, needs to go through the Palo Alto.  Anything coming from the 10.1.2.x network, needs to go through the Palo Alto as well.  Anything from 10.1.1.x to any other network, takes the default route (not through the Palo Alto's), and anything from 10.1.2.x to anything else on 10.1.2.x should stay local to the LAN (not go through the Palo Alto.  Should just arp for the MAC address).  My question is, how to I tell my L3 switch to send all traffic desined to the 10.1.2.x, through the PA?  I can't do an IP route because since the VLAN lives on those L3 switches, and is a directly connected route.  I really can't do PBR's on the switch, since that's truly meant for routers.  I can put a long match, for everything on the 10.1.2.x network (i.e. ip route 10.1.2.7 255.255.255.255 10.1.1.2), but for some reason when doing that anything from 10.1.2.x going to anything else on 10.1.2.x goes through the palo alto as well.  Would anyone have any suggestion on what the best practice would be, from a network perspective, on how to do this?  Thanks for any help!

Tags (3)
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!