Configure inter-vlan routing in Paloalto Firewall

When I need to implement inter-vlan routing in a small/branch office, I prefer the firewall to do instead of a Layer3 switch for the following reasons

– you do not need a high cost Layer 3 switch in small offices

– you can configure port/application level access from 1 VLAN to another so you do not need to blindly open all access between VLANs and avoid unnecessary traffic flows

– firewall has in-built features like Dashboard which let you review access logs between VLANs in the readable format(Who access what), where as you need a syslog server to review logs of Layer 3 switch

so here I am working on PA 200 firewall to configure it as a one arm routing, also called as router on a stick.

Paloalto firewall-Inter-vlan routing diagram

Paloalto Firewall Configuration

Paloalto Support has detailed document explaining the steps to achieve inter-vlan routing, Download Paloalto Firewall Design Guide.pdf and view Section 4.8. We do not want to repeat the steps here but one thing we want to convey is configuring inter-vlan routing in Paloalto Firewall is so simple. All you need to follow are these 2 steps –

1) Configure interfaces, sub-interfaces and VLANs (I have attached a screenshot as an example from one of my PAFW)

2) Allow traffic from one zone to another in Security Policies and you are done in PAFW.

Paloalto-subinterface-interlan-routing

Switch Configuration

Configure the switch port as

(config)# interface gi 0/24

(config-if)# switchport trunk encapsulation dot1q

(config-if)# switchport mode trunk

Leave a Reply