Please forgive my ignorance, when it comes to Palo Alto's. This is the first time I've dealt with them. We have a need to secure a localized VLAN behind the Palo Alto's. I'm including a diagram to show a simulation of what we're looking to do. We have default VLAN1 which is our default data VLAN. We have VLAN 19 which is the VLAN we want to secure. The VLAN1 SVI IP is 10.1.1.1, and the VLAN19 SVI IP is 10.1.2.1. On the Palo Alto's, we have one interface IP'd as 10.1.1.2 for the default data VLAN, and 10.1.2.2 for the secured VLAN. There is also an HA pair with IP addresses 10.1.1.3 and 10.1.2.3 respectively. We have EIGRP that advertises the default VLAN1 network. Here's what we're looking to do. Anything from the 10.1.1.x network, going to the 10.1.2.x network, needs to go through the Palo Alto. Anything coming from the 10.1.2.x network, needs to go through the Palo Alto as well. Anything from 10.1.1.x to any other network, takes the default route (not through the Palo Alto's), and anything from 10.1.2.x to anything else on 10.1.2.x should stay local to the LAN (not go through the Palo Alto. Should just arp for the MAC address). My question is, how to I tell my L3 switch to send all traffic desined to the 10.1.2.x, through the PA? I can't do an IP route because since the VLAN lives on those L3 switches, and is a directly connected route. I really can't do PBR's on the switch, since that's truly meant for routers. I can put a long match, for everything on the 10.1.2.x network (i.e. ip route 10.1.2.7 255.255.255.255 10.1.1.2), but for some reason when doing that anything from 10.1.2.x going to anything else on 10.1.2.x goes through the palo alto as well. Would anyone have any suggestion on what the best practice would be, from a network perspective, on how to do this? Thanks for any help!
... View more