When dealing with Palo Alto firewalls in HA I would have a L3 ether-channel too a stacked switch with one port going to different switch ports on the stack for redundancy. Then I would create VLAN100 with an SVI for routing. Then I would put access ports in that VLAN that would be creating the ether-channel back to the firewall. Question, do I need to tag my traffic on the firewall for VLAN100 or does this not matter. Taking this one step further can I have a L3 Switch with no switchport L3 interface with and IP that connects to another switch with an access port in VLAN100 or does this need to be tagged. Here is an image that shows it all. Thank you.
Hello Alan
If you have an L3 etherchannel, then you don’t need to tag your frames (i.e. no trunk port needed) for your connection to the L3 switch. It’s a layer 3 connection. You simply create access ports on the L3 switch, and your VLAN 100 SVI becomes the next hop for routing from the PA HA setup, as you mention.
Based on the diagram you have, yes you can do this without the need for any trunk ports. That’s because each of the L3 switches act as routers for these networks, and the L2 swich is simply transmitting a single VLAN from one L3 switch to another. As long as you have correctly configured routing on the L3 switches, you should be fine.
Remember, VLAN tagging is only necessary if you are sending frames from multiple VLANs/subnets over the same physical link. In your case you are sending frames from a single VLAN across these links so you don’t need tagging.
I hope this has been helpful!
Laz
Thank you sir for this response.
1 Like