Hi all, I've got a scenario I'm trying to overcome and struggling to see a simple solution.
I've got a cisco stack with a data vlan (1), a guest vlan(2),192.168.255.0/24.The svi's reside on the l3 switch. I then have a transit vlan(10). Let's say vlan 10 sits on the 10.10.10.0/24 subnet with an svi of 10.10.10.10.
Default route is 0.0.0.0 via vlan10 >>>>10.10.10.1 (l3 interface on Palo Alto stack). All other traffic has specific routes to our mpls via 10.10.10.254 (vrrp). The mpls is delivered/patched directly into our switch stack and does not touch the Palo for intervlan routing private subnets. Internet connectivity is delivered on an outside interface on the Palo via a dsl circuit via a 192.168.1.xxx/24 subnet. We also have an ASA connected directly to the Palo to provide anyconnect, so the upstream dsl router is providing port forwarding to the Palo outside interface. Static routes exist on the Palo that point back to the switch via the transit svi to reach private subnets on the mpls. We have static routes on the switch to point back to the annyconnect subnet hosted on the PA stack.
So to be clear, we have two separate circuits being delivered at two different ingress points. Most Internet bound traffic is actually proxied down the mpls so only very specific proxy pac routes go via 0.0.0.0 and the Palo Alto. All guest traffic is sent to 0.0.0.0.
The challenge I am facing is as follows. A new mpls/Internet provider is being provided as a merged circuit. So traffic intended for the Internet or mpls is presented now as a single ip address. Let's say it reuses the existing vrrp 10.10.10.254. I need to connect two physical uplinks to the mpls and www box. These cpe's have a ha link between them so if either box fails it still have connectivity to mpls or www.
It sounds simple enough but I'm concerned I'm missing something:
Should I just connect the 2 up links from the cpe directly into the Palo (as layer2) on vlan 10? Effectively all I do then is replicate one security zone for the additional interface.. Inline traffic traverses the PA to reach the transit svi and local branch subnet on vlan 1. Routing on switch just needs to point to 10.10.10.254 instead of 10.10.10.1.
With regards to guest traffic, this can traverse the same vlan but I'll just add additional security rules for any source or destination traffic on 192.168.255.0/24.
All NAT will be done via the cpe Internet interface.
In terms of current connectivity I'll provide a diagram shortly but I have a single uplink on vlan 10 for each PA. A single uplink to each mpls cpe on vlan 10 also but from the switches . The only change here is that the new cpe/www box will connect directly into the PA. I forgot to mention I'll need a layer 2 switch to account for the secondary standby PA.
No comments:
Post a Comment