Re: VPC 7K Traffic Flow Trouble

DamianRC · ‎03-17-2018

Please see attached top. drawing.

Each 7K can ping the active-pal. Active-Pal is connected to 7K A, so Active-Pal’s mac appears on 7K A’s interface. 7K B, again, can also ping Active-Pal. Of course, Active-Pal’s mac doesn’t appear on 7K B's interface connected to Pass-Pal, but Active-Pal’s mac does appear in 7K B’s mac address table. My assumption is that 7K B is reaching Active-Pal via the VPC pair link. Here’s the trouble, while 7K B can ping Active-Pal from its .70 address, hosts in the environment that uses Nex2 as it’s first hop cannot. Hosts using 7K A reach Active-Pal without problem. If the 7K B pass-pal interface is disabled, active-pal becomes reach-able from hosts in the environment.

There is now a move planned, that would relocate the Pal's. Should the existing, inside layer 3 connections be maintained, or should said links be converted to layer 2? I understand that the answer to this question might be revealed in the outcome of the above analysis.

Any and all help appreciated.

Reza Sharifi · ‎03-17-2018

I am not sure why vlan 80 has so many IPs. If vlan 80 is the transit vlan between the 7ks and the Pals, you only need /29 or /28 subnet and use 3 IPs, one IP for 7ka, one IP for 7kb and one IP for both firewalls. No need for VRRP or HSRP.

Can you clarify if this is what you are trying to do?

HTH

DamianRC · ‎03-17-2018

VLAN/segment 80 was an existing segment from which the addresses were taken. Making the change you've identified is straight forward and can be done. Would it resolve the issue, though? Are there VPC loop prevention rule at play here? Nothing I've read seems to imply this(or at least, I was able to comprehend). Additionally, in the scheme you've described, how would traffic on the opposite side of the passive Palo know how to get to the active, static routing(dynamic routing is disallowed in the environment)?

Host-sourced firewall destined traffic should reach Active-Pal regardless of which 7K is the first hop. This isn't currently the case, so long as 7K B's Passive-Pal facing interface is up. However, traffic sourced from 7K B does reach Active-Pal whether or not the Passive-Pal facing interface is up.

That said, is the layer 3 p2p approach the best here?

I appreciate your help.

Reza Sharifi · ‎03-17-2018

That said, is the layer 3 p2p approach the best here?

So, let me just say that I am not familiar with PA firewalls and not sure when you cluster the chassis together, the interfaces towards the Nexus a and b need to be aggregated or not. I know this is the case with Juniper firewalls. So, if the interface will aggregate, you can't have 2 /30 p2p from the firewall towards the nexus, as you only have one interface which takes only one IP. So, you need a /29 in a vlan to span from the firewalls to both Nexus (this is the same scenario I described in my first post). If the interfaces are not aggregated than you can have 2 /30s (one from one firewall to one Nexus and the other one from the other firewall to the other Nexus. In this scenario, you also need a /30 between the Nexus. Looking at your diagram, I have a feeling you can only have one IP on both firewalls as they are clustered and you have one logical interface facing the Nexus switches.

HTH

Reza Sharifi · ‎03-17-2018

BTD, all end devices vlans (server, storage, etc..) will terminate on the 7ks with HSRP, right?

DamianRC · ‎03-17-2018

All end devices terminate on FEXes. VRRP is the FHRP.