06-07-2018 02:56 PM - edited 03-08-2019 03:17 PM
Hi Guys
We are looking for a way to re-route our switch inter vlan traffic through our firewall so we can apply some filtering. We are using our switches set with vrrp as gateway for our clients - the problem is that we want to do packet inspection and filtering through our Palo Alto firewall when they switch from one vlan to another. Is there a way of implementing that on Nexus 3k switches?
I tried to implement PBR but when I try to apply - ip policy route-map MAPNAME under the SVI it comes with the following error:
SF1 %$ VDC-1 %$ %RPM-2-PPF_SES_VERIFY: rpm [3417] PPF session verify failed in client afm(Line card 1/VDC NONE/UUID 656) with an error 0x41ee009f(Specified TCAM region size is zero)
Any help is greatly appreciated!
06-07-2018 04:07 PM
Hi,
Can you explain what you are trying to do with packet inspection? Are you trying to route traffic to a device like a proxy for inspection? Do you have a device to send the traffic to for analysis?
Anyway, when it comes to packet inspection (layer-7) PA is the market leader.
HTH
06-07-2018 06:51 PM - edited 06-07-2018 06:56 PM
I just want to visualize all the passing data and get some analytics, logs, notifications - currently PAN is connected via VPC to both switches - and I know I can go router on stick but in that case i'm loosing the vrrp redundancy.
I have second backup PAN that is connected via single link to one of the switches - and should take over in case of failure. As of now the goal is to inter vlan on the PAN and keep the vrrp redundancy
06-08-2018 09:20 AM
As of now the goal is to inter vlan on the PAN and keep the vrrp redundancy
If you move the vlans to PAs, the VRRP will not be helpful anymore as the gateway for all your vlans will be the firewall(s).
HTH
06-08-2018 09:28 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide