cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13171
Views
0
Helpful
5
Replies

Configuring L3 Switch To Send Traffic to Palo Alto

Dan Man
Level 1
Level 1

pa.png

Please forgive my ignorance, when it comes to Palo Alto's. This is the first time I've dealt with them. We have a need to secure a localized VLAN behind the Palo Alto's. I'm including a diagram to show a simulation of what we're looking to do. We have default VLAN1 which is our default data VLAN. We have VLAN 19 which is the VLAN we want to secure. The VLAN1 SVI IP is 10.1.1.1, and the VLAN19 SVI IP is 10.1.2.1. On the Palo Alto's, we have one interface IP'd as 10.1.1.2 for the default data VLAN, and 10.1.2.2 for the secured VLAN. There is also an HA pair with IP addresses 10.1.1.3 and 10.1.2.3 respectively. We have EIGRP that advertises the default VLAN1 network. Here's what we're looking to do. Anything from the 10.1.1.x network, going to the 10.1.2.x network, needs to go through the Palo Alto. Anything coming from the 10.1.2.x network, needs to go through the Palo Alto as well. Anything from 10.1.1.x to any other network, takes the default route (not through the Palo Alto's), and anything from 10.1.2.x to anything else on 10.1.2.x should stay local to the LAN (not go through the Palo Alto. Should just arp for the MAC address). My question is, how to I tell my L3 switch to send all traffic desined to the 10.1.2.x, through the PA? I can't do an IP route because since the VLAN lives on those L3 switches, and is a directly connected route. I really can't do PBR's on the switch, since that's truly meant for routers. I can put a long match, for everything on the 10.1.2.x network (i.e. ip route 10.1.2.7 255.255.255.255 10.1.1.2), but for some reason when doing that anything from 10.1.2.x going to anything else on 10.1.2.x goes through the palo alto as well. Would anyone have any suggestion on what the best practice would be, from a network perspective, on how to do this? Thanks for any help!

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

It sounds like you want all traffic to and from the secured vlan to go via the firewalls from your description ?

I am not familiar with Palo Alto firewalls either so i don't know how they work in HA ie. to other devices do you simply talk to one VIP which is responsible for both firewalls ?

In your example both firewalls have an IP per vlan but do you always just use one of the IPs for end connectivity. I'm going to assume you do so you may need to modify but when i say i mean the one you would point devices at for routing etc.

So to make all traffic to and from the 10.1.2.0/24 network go via the firewall you need to -

1) remove the SVI for vlan 19 from the switch stack. You need the firewall to be routing the secured vlan not the 3750s. You leave vlan 19 in the vlan database.

2) point the vlan 19 clients to the   as their default gateway

3) add a route on the 3750 stack for the 10.1.2.0/24 network -

ip route 10.1.2.0 255.255.255.0

4) if the 10.1.2.0/24 network needs to talk to remote subnets other than 10.1.1.0/24 then for each of those networks the firewall(s) would need a route. The syntax won't be IOS but this should give you an idea -

ip route 10.1.1.1

etc.. for each remote network

What the above does is any traffic going to and from 10.1.2.x clients from other subnets has to go via the firewalls. Traffic from clients in the secured vlan to other clients in the secured vlan does not have to go the firewalls.

Jon

View solution in original post

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

It sounds like you want all traffic to and from the secured vlan to go via the firewalls from your description ?

I am not familiar with Palo Alto firewalls either so i don't know how they work in HA ie. to other devices do you simply talk to one VIP which is responsible for both firewalls ?

In your example both firewalls have an IP per vlan but do you always just use one of the IPs for end connectivity. I'm going to assume you do so you may need to modify but when i say i mean the one you would point devices at for routing etc.

So to make all traffic to and from the 10.1.2.0/24 network go via the firewall you need to -

1) remove the SVI for vlan 19 from the switch stack. You need the firewall to be routing the secured vlan not the 3750s. You leave vlan 19 in the vlan database.

2) point the vlan 19 clients to the   as their default gateway

3) add a route on the 3750 stack for the 10.1.2.0/24 network -

ip route 10.1.2.0 255.255.255.0

4) if the 10.1.2.0/24 network needs to talk to remote subnets other than 10.1.1.0/24 then for each of those networks the firewall(s) would need a route. The syntax won't be IOS but this should give you an idea -

ip route 10.1.1.1

etc.. for each remote network

What the above does is any traffic going to and from 10.1.2.x clients from other subnets has to go via the firewalls. Traffic from clients in the secured vlan to other clients in the secured vlan does not have to go the firewalls.

Jon

Jon,

That was RIGHT ON THE MONEY!!!!  Everything is working perfectly!  I think the one thing that I was missing was the fact that I needed to remove the L3 SVI off of the switch.  Do to the fact that it was a directly connected route, I was having a heck of a time pushing the traffic to the Palo Alto.  Thank you SO much for your help! 

No problem, glad to have helped.

Jon

Richard Lucht
Level 1
Level 1

Hi, We are also starting to work with Palo Altos.  I have a 6509 in VSS mode.  I have all my vlans on the 6509.  All my VLANs rest in the 10.198.0.0/16 range.  I am using 10.198.0.254/24 as my IP for VLAN 100 on the 6509, on the Palo Altos that I have in HA I am using 10.198.0.1/24.  I had it set up with a Meraki MX60 for temp use and that is working fine.  the Palo Altos will be for production.  I am having trouble trying to configure the Palo Altos to route traffic for the 10.198.0.0 network to the 6509.  I was wondering if you had any pointers for it.

same issue, right? move protected vlan L3 interface to firewall instead of switch

Review Cisco Networking for a $25 gift card