09-19-2019 07:38 AM
Hello everyone,
I have an existing palo alto PA-3550 which we are migrating over to vmware, virtualized version (VM-300), onsite, no cloud. On the appliance we have two sets of layer 2 interfaces bridged together. One set is basically a transparent firewall, the other is just marking qos traffic. Since this device has 20 or so 1 gb ports, each layer 2 interface is connected to port without using 802.1q. Since our internet circuit is a symmetric 1 gb service, it makes no sense to do so. Everything works fine on the appliance, and has for several years. The appliance uplinks are basically setup with an cisco access vlan and set the access mode. I know that in this setup that I can do a bridge with a network cable, and the cisco switches would be fine.
On the vm-300, I have port 5(eth 1/5) setup for 802.1q vlan tags and recreated the same ports. It has four sub interfaces, on one port. In vmware host the port is setup for all vlans(vlan id 4095). This basically passes all vlans through that port.
Back to the vm-300 specifics, I have the sub interfaces in their respected VLANs, and same policies as before. It works fine. The problem I am having is the pair of cisco 4500X we use as our core switch, have problems with the vm-300 layer 2 bridges. With no interfaces define on the cisco switch, I get a lot of mac flaps, and it basically does not work as a bridge. I can't ping across it, maybe one out of twenty five. With a layer 3 interface define on the cisco switch, spanning tree will block the port. With layer 3 interface and spanning tree disabled, the switch is brought to it's knees with a loop, these are dual core switch, the core running spanning tree is at 100%. I have also tried this configuration with 802.1q, just a palo alto interface with no sub interfaces, and vmware the ports hard set to the 903(eth1/7) or 904(eth1/8), and had the same reaction. So, I ask am I doing something wrong, or something I need to check or can you not do layer 2 bridges with vm series? I know it's possible to do ethernet bridges in vmware, as I have a couple running on a virtual VyOs router for disaster recovery purposes. We use it to bridge a cisco vrf that replicates our primary site layer 3 interfaces, and share routes across the bridge.
C4K_EBM-4-HOSTFLAPPING: STANDBY:Host 00:50:56:99:41:29 in vlan 903 is moving from port Te2/1/2 to port Te2/1/1
C4K_EBM-4-HOSTFLAPPING: STANDBY:Host 00:50:56:99:41:29 in vlan 903 is moving from port Te2/1/1 to port Te2/1/2
C4K_EBM-4-HOSTFLAPPING: STANDBY:Host 00:50:56:99:22:01 in vlan 903 is moving from port Te2/1/5 to port Te2/1/2
C4K_EBM-4-HOSTFLAPPING: STANDBY:Host 00:50:56:99:41:29 in vlan 903 is moving from port Te2/1/2 to port Te2/1/1
C4K_EBM-4-HOSTFLAPPING: STANDBY:Host 00:50:56:99:41:29 in vlan 903 is moving from port Te2/1/1 to port Te2/1/2
C4K_EBM-4-HOSTFLAPPING: Host 00:50:56:99:22:01 in vlan 903 is moving from port Te2/1/2 to port Te2/1/5
C4K_EBM-4-HOSTFLAPPING: Host 00:50:56:99:22:01 in vlan 903 is moving from port Te2/1/5 to port Te2/1/2
C4K_EBM-4-HOSTFLAPPING: Host 00:50:56:99:41:29 in vlan 903 is moving from port Te2/1/2 to port Te2/1/1
C4K_EBM-4-HOSTFLAPPING: Host 00:50:56:99:41:29 in vlan 903 is moving from port Te2/1/1 to port Te2/1/2
---------------------
Vlan on the appliance PA-3050:
pvst+ tag rewrite: enabled
pvst+ native vlan id: 1
drop stp: disabled
802.1Q PCP pass through: disabled
total vlan shown : 2
name interface virtual interface
--------------------------------------------------------------------------------
Default ethernet1/3
ethernet1/4
TW-INTERNET-TP-FIREWALL ethernet1/7
ethernet1/8
--------------------------------------
Vlan on vm-300. I have a test bridge on it.
pvst+ tag rewrite: enabled
pvst+ native vlan id: 1
drop stp: disabled
802.1Q PCP pass through: disabled
total vlan shown : 3
name interface virtual interface
--------------------------------------------------------------------------------
Default ethernet1/5.123
ethernet1/5.223
TW-INTERNET-TP-FIREWALL ethernet1/5.500
ethernet1/5.503
TP-TESTER ethernet1/7.903
ethernet1/7.904
Thanks,
Justin
