Palo1(Active)(Inside seg) >>>(L2? L3-p2p?)7K1(VPC)
Palo2(Passive)(Inside seg) >>> (L2? L3-p2p?)7K2(VPC)
How should this be done in order to maintain redundancy?
Create a new SVI and VPC for the inside firewall segment, then configure the firewall facing link on each 7K as an access port? This would break the VPC design though, as the the endpoints(Palo Altos) are not capable of VPC or PC technology, right?
What about configuring the interfaces as L3 point to point links? But how would state knowledge of the neighboring Nexus be shared?
Finally, I thought about using a small switch like the 2960CG, port-channeling it up to the 7Ks, then connecting the PAs to the designated inside VLAN.
All support is appreciated.
I have never deployed PA firewalls but if they function the same as Juniper and Cisco firewalls, you can connect the active firewall to one nexus and passive to the other nexus, put them in one vlan (access) with a /29 or 28 subnet with IP on each device. Nexus-1 one IP, Nexus-2 one IP and firewalls one IP if they are clustered, if not one each.
i know this was 1 year before but if you need any help in deploying the PA with Cisco network gear, nexus or CAT family. please respond and i will provide you the configurations for VPC or PO's as i have deployed them in both environments.