This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
vm palo question on interfaces for esxi
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- Re: vm palo question on interfaces for esxi
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
vm palo question on interfaces for esxi
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-26-2021 01:20 PM - edited 11-30-2021 06:40 AM
We have an exisiting vmware esxi environment that has 3 hosts with distributed switches configured.
Currently, each esxi host has 4 links (all trunks) going to the physical uplink switch.
We've installed a VM palo series firewall and have established managment connectivity to it via eth1/0 with no issues.
Now we are configuring sub interfaces on the vm palo and will point the vm's to it as their gateways. I think this part is working.
Where our issue is happening is on the uplink from the vm palo to the physical switch. I'm confused how this works as all the uplinks are trunks and I need to have the connection from the physical switch to the palo vm as a L3 link.
Could someone break this down for me? Does the questione even make sense?
More info
I have a SVI on the physical Cisco switch. 10.1.1.1/24
I configured eth1/1 on the vm palo as a L3 link as 10.1.1.2/24
I have sub interfaces 10.1.80.1/24 (vlan 80) and 10.1.90.1/24 (vlan90) created off of eth1/2 of the VM Palo and they will be gateways for the virtual machines.
The palo virtual router is set with a default router of 10.1.1.1 to the physical switch.
Honestly without any routing, I would think that I should be able to ping from the physical switch to the 10.1.1.2 as it should be directly connected but that's not working even with the management profile applied.
So confused!
Thanks in advance!!
8 REPLIES 8
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-30-2021 08:34 PM
License shouldn’t be the issue here.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-01-2021 06:21 AM
Hi @geewiss ,
If any of the palo alto interface is configured as a L3 sub-interface, then you need to configure neighboring device interface as a trunk then you can flow specific vlan traffic via that trunk port. If Palo Alto interface is configured as normal L3 interface then keeping neighboring device interface in access port should work.
Mayur
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-02-2021 01:40 PM
UPDATE
The key here was to make all 4 physical links from the ESXi host to the physical switch as trunks. Then to have the e1/1 interface on the palo configured in a port group that is "vlan trunking". Then to have a sub interface on the palo with tagging the vlan number. This seem to work.
Related Content
- Panorama in Panorama Discussions
- Use Cases Vlan re-tagging/VLAN-Translation - Supported by Layer 2 and Vwire Interfaces or just Layer 2? in General Topics
- Palo Alto interfaces in Layer 2 - Portchannel - Log Monitor more details in General Topics
- Auto Commit Fails and prevents 10.2.0 Installation on ESXI 6.5 in General Topics
- Question about Management Interface in General Topics
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks