Have a site that we want to firewall traffic off into a few segmented zones. I would like to do all of this with 1 management interface, and a single palo alto trunked interface that would carry multiple vlans. To be clear, in this instance, the firewall would already be on the inside of the network and not an edge device.
The firewalled networks would all reside locally at this site, and traverse the trunk over a tagged interface to get back "out" to the rest of our networked sites traversing internet/mpls. Most of the traffic would come into the site on a main tagged vlan (either local computers at site or servers in remote destinations), hairpin to the segmented vlan(s), and then hairpin again - and respond back to the originator at a different interent/mpls site or to the main tagged vlan locally.
Can anyone think of any issues trying to use a single interface for trunking multiple vlans? My concern here is that traffic wouldn't be crossing interfaces in/out, but would be all using a trunk even for it's main data interface. Thinking most admins are using 1 internal interface, and then 1 trunk interface for the rest of the local firewalled networks?
I understand that palo doesn't use native vlanning- so vlan 1 is out of the question if we trunk all of this I'm thinking?
Concerned with hairpin traffic, and any experiences anyone has had experimenting/implementing this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!