Solved: Sure let me try and i will

errrrnv85 · ‎10-29-2015

Hi Guys,

Apologies if it has been discussed before but i didnt seem to be able to find the answer.

I am new to Enterprise networking or i should say routing and switching but i am in a situation where i have been asked to help whilst our network engineer is away.

I am trying to route a Test Vlan from Access Switch to Firewall and then internet.

Access Switch----------------------->Core Switch--------------------------------------> Firewall---------------->Internet

I have configured the VLAN on Access Layer and an SVI for the same VLAN on Core which seems to be fine. I am strugling to establish L3 connectivity between Core and Firewall (Palo Alto)

We already have a default route on our core and that points to the ASA firewal and then its routed back to the Core switch (Depending on the prefix) of course and then specific routes to the ISA proxy. Our Network engineer seems to be against default routes on the core switches.

Now the challenge i am facing is how do i route then VLAN from Core to Firewall??? There is of course a Layer 3 SVI for the Vlan and a Gig interface (Which Connects to Palo Alto firewall). Now of course there cant be two Layer 3 interfaces with the same IP range. If i create Gi as Layer 3 then how do i tag the VLAN traffic to Layer 3 interface? If i keep the Gig interface as L2 then of course it wont be routed to firewall.

Any suggestion will be appreciated.

Thanks in advance

Jon Marshall · ‎10-29-2015

Firstly gi1/1 on the core is not tagged because it is an access port.

If you are just trying this for vlan 2026 then the firewall port should be L3 with an IP assigned.

If gi1/1 was a trunk link then the firewall would need to use subinterfaces, one for each vlan.

When you say communication won't work because on the core it is L2 and on the firewall L3 that is not right because that setup is exactly what you want.

If you made gi1/1 on the core switch L3 then the IP subnet would only exist between that port and the firewall ie. your clients would have to be in a different IP subnet.

You want to simply extend L2 all the way from the access switch to the firewall so all ports need to be L2 until they get to the L3 interface on the firewall.

One thing to check is your access switch connects to the core switch with an uplink.

How are the ports on either end of that link configured ie. if a trunk then you need to make sure your vlan is allowed on that link.

Jon

View solution in original post

Jon Marshall · ‎10-29-2015

If the test vlan ony needs access to the Palo Alto firewall and nothing else then don't use an SVI on the core switch, simply extend the vlan to the firewall interface then you don't need to worry about adding routes to the core switch.

So the gig interface is an access port in the same vlan and the firewall interface uses the IP you are currently using on the SVI.

If the test vlan needs access to anything else or the Palo Alto firewall is being used for other things as well then obviously this won't work.

So can you clarify ?

Jon

errrrnv85 · ‎10-29-2015

I have tried different things on Gig interface on the core i.e. trunk or access but of course i have been doing it wrong either of the ends.

I also thought of extending the VLan all the way to Palo Alto Firewall. So if i create VLANs and interface connecting to core as L2 how am i going to route it on the firewall then?

Later on i would like to move more traffic (VLANs) from Core to Palo so ideally i would like to have a trunk between core and Palo but not sure how would i go about it really.

Does it make it any clearer??

Er

Jon Marshall · ‎10-29-2015

You don't route the traffic to the firewall because the firewall IP is the default gateway of the clients in your test vlan ie.

client (vlan 20) -> core switch -> firewall -> internet

in the above vlan 20 exists at L2 in the vlan database on the core switch but you don't have a L3 SVI for it.

And the port connecting the core switch to the firewall is an access port in vlan 20.

Like i say this only works if -

1) the clients in vlan 20 don't need access to anything else

and

2) the firewall is only being used for this test connectivity.

Jon

errrrnv85 · ‎10-29-2015

Thanks again and i understand it.

How about if i want to trunk multiple vlans please?

Jon Marshall · ‎10-29-2015

As long as the Palo Alto firewall support subinterfaces and understands vlan tags you should be able to do that.

One thing worth mentioning is that if you have multiple vlans that you want to use that firewall but also communicate freely with each other then terminating all vlans on the firewall may not be the best way to go.

Using SVIs and perhaps VRFs can help keep traffic separate.

Diffiult to say without knowing more details.

Jon

errrrnv85 · ‎10-29-2015

Sure let me try and i will share the results if thats ok.

Jon Marshall · ‎10-29-2015

No problem.

Jon

errrrnv85 · ‎10-29-2015

Allright i tried extending VLAN to Palo but it still doesnt seems to be working.

Access Switch

===========

Building configuration...

Current configuration : 375 bytes
!
interface GigabitEthernet1/0/42
switchport access vlan 2026 <<<<<<<------Access Port with VLAN 2026
switchport mode access
end

Core Switch

==========

Building configuration...

Current configuration : 129 bytes
!
interface GigabitEthernet1/1
description TCC-PA-1-Gi1/7 <<<<<<-----------Connected to Palo
switchport
switchport access vlan 2026 <<<<<----Access and tagged as VLAN 2026
switchport mode access
end

I have shut down the SVIs on the core

Now i have tried to configure the Gi 1/7 interface on Palo as default gateway with IP 10.132.26.1 for clients on VLAN 2026.

In order to assign an IP i have to create it as Layer 3. If i do that so communication wont go thru because on Core i am creating it as L2 and on Palo as L3.

If i dont create interface as L3 on Palo then i cant give it the default gateway IP.

I am sorry but my understanding isnt great.

Jon Marshall · ‎10-29-2015