11-07-2023 02:26 PM
Hello! I'm banging my head against a puzzle, and I'm curious if anyone else has attempted a similar configuration before (or if it's possible).
I am trying to find a way to migrate VLAN 96 in this example to the Palo Alto firewall as a subinterface. This is intended as a means to segment the network for better visibility and security.
The issue I'm having is that because Vlan 96 is an SVI on the 3850 switch, I can't figure out how to move it up the network stack to the Catalyst 6840 (functioning as the network core) to then move it to the firewall. The Cat 6840 and Cat 3850 are connected via an L3/routed link, whereas the Cat2960x edge switch is connected to the Cat3850 with an l2/trunk link, allowing the proper VLAN.
I have a number of other Cat2960x switches also trunked to the same 3850, and other 3850 switches fulfilling a l3 role in other sections of the network (hub/spoke topology with the 6840 at the center).
Any thoughts? I'm happy to post sanitized configuration samples if that's helpful.
Solved! Go to Solution.
11-08-2023 07:55 PM
Am I correct in understanding that essentially you want the Palo Alto to become the default gateway for devices in vlan 96?
Thank you for including the diagram which clarifies some things that might not be so very clear in the description in your post. If I understand the diagram correctly there is vlan 96 on the 2960 switch. The 2960 switch carries vlan 96 on a trunk to the 3850 switch. There is an SVI on the 3850 which provides routing services for vlan 96. There is a routed link between the 3850 and the 6840 and the 6840 connects to the Palo Alto.
In that architecture there is not any way that the Palo Alto can be the default gateway for vlan 96. If you want Palo Alto to bwe the gateway for vlan 96 then you must change the link between 3850 and 6840 from a routed link to be a trunk. And that has impacts on the other vlans.
11-07-2023 11:19 PM
- Generally speaking you can't move SVI's , the only thing you can do is delete it on the 3850 and then define it on the firewall ,
M.
11-07-2023 11:32 PM
Hello!
There are multiple way to "strech" the L2 if you have routed underlay. You could do vpls or vxlan to stretch it from the 3850 to 6840.
BR
11-08-2023 06:03 AM
can you more elaborate
Thanks A Lot
MHM
11-08-2023 07:55 PM
Am I correct in understanding that essentially you want the Palo Alto to become the default gateway for devices in vlan 96?
Thank you for including the diagram which clarifies some things that might not be so very clear in the description in your post. If I understand the diagram correctly there is vlan 96 on the 2960 switch. The 2960 switch carries vlan 96 on a trunk to the 3850 switch. There is an SVI on the 3850 which provides routing services for vlan 96. There is a routed link between the 3850 and the 6840 and the 6840 connects to the Palo Alto.
In that architecture there is not any way that the Palo Alto can be the default gateway for vlan 96. If you want Palo Alto to bwe the gateway for vlan 96 then you must change the link between 3850 and 6840 from a routed link to be a trunk. And that has impacts on the other vlans.
11-09-2023 06:35 AM
Thanks Richard! You are absolutely correct with your interpretation. I've got a test stack and will try out some possibilities for getting the the 6840<->3850 link reconfigured as a trunk link.
11-09-2023 06:38 AM
He dont need to make connect as trunk' what he need is only add new link for vlan 96 in 6800 and make another one to FW.
This make 6800 as Bridge and host in vlan 96 will have gw in FW.
Thanks A Lot
MHM
11-09-2023 09:47 AM
In my response I said that there is no way for the firewall to be the default gateway for vlan 96. And in practical terms I believe it to be correct. But your point is valid that if he provisions separate physical links between 6800 and the 3850 and between the 6800 and the firewall those that links could be used for vlan 96 and the firewall could be the gateway.
11-09-2023 11:32 PM
Yes it valid.
other vlans will have GW in 6800 and only vlan96 will have FW as GW.
but to be honest I dont like this solution it can lead to asymetric traffic
so 100% your solution is better IF he can make link as L2 trunk.
Thanks A Lot
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide