When I need to implement inter-vlan routing in a small/branch office, I prefer the firewall to do instead of a Layer3 switch for the following reasons
– you do not need a high cost Layer 3 switch in small offices
– you can configure port/application level access from 1 VLAN to another so you do not need to blindly open all access between VLANs and avoid unnecessary traffic flows
– firewall has in-built features like Dashboard which let you review access logs between VLANs in the readable format(Who access what), where as you need a syslog server to review logs of Layer 3 switch
so here I am working on PA 200 firewall to configure it as a one arm routing, also called as router on a stick.
Paloalto Firewall Configuration
Paloalto Support has detailed document explaining the steps to achieve inter-vlan routing, Download Paloalto Firewall Design Guide.pdf and view Section 4.8. We do not want to repeat the steps here but one thing we want to convey is configuring inter-vlan routing in Paloalto Firewall is so simple. All you need to follow are these 2 steps –
1) Configure interfaces, sub-interfaces and VLANs (I have attached a screenshot as an example from one of my PAFW)
2) Allow traffic from one zone to another in Security Policies and you are done in PAFW.
Configure the switch port as
(config)# interface gi 0/24
(config-if)# switchport trunk encapsulation dot1q
(config-if)# switchport mode trunk