Trunking a new switch existing PA (Active/passive)pair

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Trunking a new switch existing PA (Active/passive)pair

L0 Member

Hello Everyone,

 

I am having some trouble with trunking. Below is our current setup:

 

PA pair(vlan 48---x.x.48.254) ------core switch (vlan 48....x.x.48.1) for internal access (trust zone). we have a static route on PA---any traffic to internal network, should be pointed core switch (vlan 48....x.x.48.1) .

Similarly we have default route on core switch pointing to PA pair(vlan 48...x.x.48.254)

We have management vlan 40.

PA pair (vlan 40----x.x.40.10)---Core switch (x.x.40.1)

==========================================================================

Now I am trying to deploy a new DMZ switch (with two new DMZ vlans). Intention is to have seperate physical hardware for dmz and also seperate vlans, which should not exist on our core switch. So i created vlan 10, 20 for DMZ on new switch and vlan 40 for management and assigned IP to to x.x.40.60. i gave default route pointing to management IP on PA (x.x.40.10).

I am not able to ping the new switch management IP from internal network, not even from firewall.

--------------------------------------------------------------

Can someone please advice on how to connect new DMZ switch (with two new vlans) to the firewall and able to be manage the new switch from our internal network.

 

Thanks in advance.

2 REPLIES 2

Cyber Elite
Cyber Elite

@NovrojShaik,

I'm not 100% sure I'm understanding this correctly; you are trying to set the management interface on the PA as a default route on the DMZ switch? That isn't going to work...the management interface on the PA isn't capable of actually passing traffic from another device.

Again I could have easily been reading this wrong, let me know if that's the case. 

 

@BPry

Thanks for the reply. Yes, thats what I was trying to do. I have a management vlan and two other (DMZ) vlans configured on my DMZ switch (plain trunk , not lacp). I was pointing default route to management interface of firewall. I realised it will not work. So I tried below things, but they did not work as well:

 ***WE DO NOT HAVE VLANS CONFIGRUED ON PALO ALTO***

- I configured Layer 3 aggregate (ae.1) interface on Palo Alto and configured layer 3 subinterfaces with IP addresses on it.  Configured one physical interface as aggregate interface and binded ae.1 to it. 2 of those subinterfaces are for new DMZ vlans and the other on in management subnet with IP address x.x.40.200). {management vlan is 40. core switch managemnent ip is x.x.40.1 and palo alto management ip is x.x.40. 10}

I configured management vlan on new DMZ switch with ip x.x.40.60. I was able to ping aggregate subinterface on paloalto x.x.40.200 from switch and from palo alto only if I source ping from x.x.40.200 then ping works. However I am not able to ping the DMZ switch from the core switch.

- Later I decided to use different vlan instead of management vlans. Configured switch and firewall as above step but used different vlan say 50. Assigned x.x.50.60 on DMZ switch and x.x.20.200 on aggregate subinterface. In this case vlan 250 exists on core switch and has IP address of x.x.50.1. Still the result is same "I was able to ping aggregate subinterface on paloalto x.x.50.200 from switch and from palo alto only if I source ping from x.x.50.200 then ping works. However I am not able to ping the DMZ switch from the core switch."

-I thought, may be I was configuring the aggregration incorrectly. So I just configured plain access link between DMZ switch and Palo Alto. On Palo Alto configured physical interface as layer and assigned IP x.x.50.200 and on DMZ switch assigned port to vlan 50 as access port and connected it to palo alto. Assgined IP address to layer 3 interface on DMZ switch with IP x.x.50.60. Still the result is same "I was able to ping aggregate subinterface on paloalto x.x.50.200 from switch and from palo alto only if I source ping from x.x.50.200 then ping works. However I am not able to ping the DMZ switch from the core switch."

 

*** I select the security zone (Internal Trust) for above two scenarios (both aggregate subinterface and physical interface as well).***

======================================================================================

In general, do you have any suggestion how a new DMZ switch can be deployed. Below is current topology:

PA (Active/passsive) ==========================Core

Management vlan 40(x..x.40.10)---------------------------Management vlan 40 (40.1)

Internal Accesss vlan 48(x.x.48.254)-----------------------Internal Access vlan 48(48.1)

Static route on Palo alto---any traffic to internal network (x.x.0.0/16), should be pointed core switch (vlan 48....x.x.48.1) .

Similarly we have default route on core switch pointing to Palo alto (vlan 48...x.x.48.254)

Core switch has all the layer 3 interfaces and it does inter vlan routing (so internal traffic does not go to firewall). For DMZ I am planning to put layer 3 interfaces on firewall, so that we can have more control.

Plan is to deploy a new DMZ switch (with two new DMZ vlans). Intention is to have seperate physical hardware for dmz and also seperate vlans, which should not exist on our core switch.

I should be able to manage the new DMZ switch across the network.

  • 1429 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!