How to Configure the Firewall in a High Availability Active/Standby Switched Redundant Networks

How to Configure the Firewall in a High Availability Active/Standby Switched Redundant Networks

176
Created On 07/28/22 23:34 PM - Last Modified 11/12/25 22:20 PM


Objective


You may have a Layer 2 high availability switch stack in a high availability active/standby setup which needs to have redundant vlan networks connect to your Palo Alto firewall
The following article provides one way to setup your Palo Alto firewall to allow redundant vlan networks to connect to the firewall acting as the default gateway using Layer 2 subinterfaces

Environment


  • Redundant VLAN networks with switch stack in a High Availability Active/Standby setup
  • Only one switch is Active at any given time and the peer will be in Standby
  • The Palo Alto firewall acts as the Default Gateway for each VLAN Network
  • One Virtual Router is used
  • Layer 2 subinterfaces

Procedure


The topology shown below will serve as an example to simplify the configuration
Switch-1 and Switch-2 are in a high availability active/standby setup with the same 4 VLAN networks connected to each switch
The link from Switch-1 and Switch-2 to the firewall are trunk ports connected directly to ports ethernet1/1 and ethernet1/2 respectively
The goal is to configure the firewall with Layer 2 subinterfaces and a VLAN interface with an IP address configured as the default gateway for each respective VLAN
This will allow each VLAN to reach each other and other routed networks
 
topology-vlan1.PNG

CONFIGURATION
1. Configure ethernet1/1 and ethernet1/2 as Interface Type Layer2
eth1.PNG

2. Add subinterfaces for each vlan under each physical interface
Below we are adding subinterface ethernet1/1.10 with VLAN Tag 10
interface10.PNG

While adding each subinterface add a new VLAN and Security Zone by clicking on their respective links as shown
Only add the names for VLAN and Zones
vlan-linkA.PNG
zone-linka.PNG

Once subinterfaces are configured it should look as shown below
In this example we have 4 subinterfaces configured under ethernet1/1 and ethernet1/2
Each subinterface has its own VLAN and Zone
Notice each subinterface configured under one physical interface will have its counterpart on the second physical interface
For example: subinterface ethernet1/1.10 will have the same VLAN and Zone as ethernet1/2.10
interfacesA.PNG

3. Add a VLAN interface for each VLAN. in the example below we added vlan.10 interface for VLAN vlan10
Add a Layer 3 Zone which will be used for all VLAN's. Below Zone VLAN10-40 was created
Configure the associated IP address. For VLAN10 we are configuring IP 192.168.10.1/24
Note: You can create separate  VLAN interface zones. Just ensure security policies allows the flow for all traffic initiated or destined to these zones
vlan-intA.PNG
IP.PNG

4. Configure associated policies to allow traffic
Below policy "vlan10-40_TO_Untrust was added to allow traffic sourced by VLAN interfaces to Untrust zone
policy.PNG

VERFIY CONFIGURATION
Once finished, your VLANs, VLAN Interfaces and Zones should look as shown below
VLANS
VLANSAA.PNG

VLAN INTERFACES
VLAN-INTERFACES.PNG
ZONES
ZONES1.PNG
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wlBgCAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail