01-26-2019 08:57 AM
I was given the attached design to implement a pair of PA 5050's between the user segment and the data center. Can anyone tell me if this is a valid LACP connection? I have never seen it done without a Stacking or VPC link on the other end of the port-channels. I am going to try to set it up in our lab but i was hoping someone could tell me if it is even valid and if you would need specific code to make it work. The PA's would be routing in active/standby not in V-wire, the 7k’s do have a VPC link and the 4500’s are VSS. The 4500x's and the 7k's are directly connected today.
01-26-2019 09:26 AM
01-26-2019 09:31 AM
Can you confirm is Nexus 7K they are connected each other ? or they seperate devices ?
if they are in vPC, you can deploy enhanced vPC and support clustering, not sure palo(not remmeber myself correctly - top of my head they do support cluster) have that feature like ASA support.
High level if 7K's connected each other and 4K's connected each other. HLD level is good.
where is the users connected ? how is network flow towards Internet (if this internet edge FW), or is these PA are internal FW ?
01-26-2019 09:42 AM
The users are connected to the 4500x’s through 3850 floor switches.
The user firewall is internal only. The edge firewall currently hangs off the 7k’s. The users will have to go through 2 firewalls to get to the internet in this design.
thank you
01-26-2019 10:50 AM
So these are inernet edge FW, how is you exiting system working ? do you have any topology of that.
if you have aleady connected like below setup ;
Access Switch (3850)---4KSwitch----Nexus7K Switches ---Internet
then instead of introucing in the middle. you can have all the connected to nexus 7K inside/ outside and DMZ (if the requirement there) with the segement of VLANs or port-channels.
like below :
Access Switch (3850)---4KSwitch----Nexus7K Switches --PA---Internet
01-26-2019 11:13 AM
Today the edge firewall does just hangs off of the 7k’s. Just like you have it described above. I like that idea and not sure why we did not think of that. If I understand correctly we would just add the user segment existing edge firewall sort of like a user DMZ and not introduce the 5050’s in the middle.
Thank you for your response.
01-26-2019 01:46 PM
That is the best i can think of. you can do l2/ l3 segmentation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide