Hi community, See attached visio. And supplied notes. There is no reason this won't work ? The reason for this is to, - Capture east/west 'inter-vlan' traffic that would normally be routed by L3 switch carrying SVIs, aka move the 'SVIs' up to the PAN. But that can't be done by a standard .1q trunk on an A/A setup, because A/A will not support L2 interfaces. So these L3 legs are created between switch and PAN. - Floating IP with the 'bound to a/p' for manual preference of active during fail event (https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/high-availability/use-case-configure-active-active-ha-with-floating-ip-address-bound-to-active-primary-firewall) - Routing on switch side (wide mask to catch all vlans) to send next hop to floating IP on PAN - Want PAN to receive traffic of L3 interface -> send through packet flow/processing -> and egress it out one of the two L3 interfaces bound back to switch/aka probably the same interface really.... with a similar route (wide mask), back to L3 IP address end of switch. (Question - One interface is on A/A member, one on the other. Anything I have to accommodate here ?.. i.e. would normally need routing to preference a leg.. floating static or dynamic (OSPF)) with a similar route (wide mask) I get inter-vlan processing on PAN without needing to 'router on a stick' .1q backhaul all SVIs to PAN and maintain A/A. That's the goal. Thoughts ?
... View more