Inter vlan reroute to FW instead of SW - PBR?

Chris_78 · ‎06-07-2018

Hi Guys

We are looking for a way to re-route our switch inter vlan traffic through our firewall so we can apply some filtering. We are using our switches set with vrrp as gateway for our clients - the problem is that we want to do packet inspection and filtering through our Palo Alto firewall when they switch from one vlan to another. Is there a way of implementing that on Nexus 3k switches?

I tried to implement PBR but when I try to apply - ip policy route-map MAPNAME under the SVI it comes with the following error:

SF1 %$ VDC-1 %$ %RPM-2-PPF_SES_VERIFY: rpm [3417] PPF session verify failed in client afm(Line card 1/VDC NONE/UUID 656) with an error 0x41ee009f(Specified TCAM region size is zero)

Any help is greatly appreciated!

Reza Sharifi · ‎06-07-2018

Hi,

Can you explain what you are trying to do with packet inspection? Are you trying to route traffic to a device like a proxy for inspection? Do you have a device to send the traffic to for analysis?

Anyway, when it comes to packet inspection (layer-7) PA is the market leader.

HTH

Chris_78 · ‎06-07-2018

I just want to visualize all the passing data and get some analytics, logs, notifications - currently PAN is connected via VPC to both switches - and I know I can go router on stick but in that case i'm loosing the vrrp redundancy.

I have second backup PAN that is connected via single link to one of the switches - and should take over in case of failure. As of now the goal is to inter vlan on the PAN and keep the vrrp redundancy

Reza Sharifi · ‎06-08-2018

As of now the goal is to inter vlan on the PAN and keep the vrrp redundancy

If you move the vlans to PAs, the VRRP will not be helpful anymore as the gateway for all your vlans will be the firewall(s).

HTH

Chris_78 · ‎06-08-2018

That's why I'm looking for options to reroute - PBR or VRF ....