Design & Build

Data Center Solution-Best Practice: Palo Alto Network Firewall Integration with Brocade NetIron MLX Router

by on ‎04-05-2013 09:29 AM - edited on ‎04-08-2014 04:43 PM by pmadduru (6,056 Views)

Synopsis:An example showing how to configure a Palo Alto Networks firewall with Brocade Multi-Chassis Trunking (MCT), Virtual Router Redundancy Protocol Extended (VRRP-E) and Policy Based Routing (PBR) on Brocade’s NetIron MLX Router.

 

Contents

 

Preface

Overview

This provides an example of how to deploy of a Palo Alto Networks perimeter firewall with Brocade’s Multi-Chassis Trunk (MCT) and Virtual Router Redundancy Protocol Extended (VRRP-E) at the aggregation tier.  Brocade MLX Series Routers are used in the example with Policy Based Routing (PBR) to direct designated traffic to the firewall to secure traffic.

 

Audience

Network architects, designers and administrators who are deploying Pala Alto Networks perimeter firewalls with Brocade NetIron products such as the Brocade MLX Router.

 

Objectives

Network security has become critical for securing access to applications and data for internal and external users. High availability is essential so traffic continues to be secure when network routers are off-line. For this reason, Brocade provides Multi-Chassis Trunking (MCT), and Virtual Router Redundancy Protocol (VRRP) and VRRP Extended (VRRP-E) with the NetIron family of products.

 

Network services such as firewalls and load balancers can be configured as MCT clients on Brocade switches for higher availability.  With this type of deployment all links are active and can be load shared using a hashing algorithm.  If one MCT switch fails, a data path will remain through the other switch with sub second convergence time.  In addition, Policy-Based Routing allows you to use ACLs to selectively direct traffic to a next hop gateway such as a firewall.

 

Related Documents

 

The following provide more detailed information.

 

References

 

About Brocade

Brocade® (NASDAQ: BRCD) networking solutions help the world’s leading organizations transition smoothly to a world where applications and information reside anywhere. This vision is designed to deliver key business benefits such as unmatched simplicity, non-stop networking, application optimization, and investment protection.

Innovative Ethernet and storage networking solutions for data center, campus, and service provider networks help reduce complexity and cost while enabling virtualization and cloud computing to increase business agility.

To help ensure a complete solution, Brocade partners with world-class IT companies and provides comprehensive education, support, and professional services offerings. (www.brocade.com)

 

About Palo Alto Networks

Palo Alto Networks, Inc. has pioneered the next generation of network security with our innovative platform that allows you to secure your network and safely enable the increasingly complex and rapidly growing number of applications running on your networks. At the core of this platform is our next-generation firewall which delivers visibility and control over application, users, and content within the firewall using a highly optimized hardware and software architecture. This platform uniquely offers you the ability to identify, control, and safely enable applications while at the same time inspecting all content for all threats all the time. These capabilities are combined with superior performance compared to traditional approaches, including those found in a UTM or software blade approach. Our approach allows you to simplify your network security infrastructure and to eliminate the need for a variety of stand-alone and bolt-on security devices. Our platform can address a broad range of your network security requirements, ranging from the data center to the enterprise perimeter to the far edges of the network, which includes branch offices and mobile devices.

 

Key Contributors

The content in this guide was developed by the following key contributors.

  • Lead Designer: Marcus Thordal, Strategic Solutions Lab

 

Document History

Date              Version      Description

2013-04-05     1.0              Initial Release

 

Example Deployment

Within a datacenter network, Brocade MCT provides both link and node level redundancy for network devices by allowing the devices to create static or dynamic (LACP) link aggregation groups that span the two MLX nodes.

This technology is often used to connect downstream access switches into the aggregation tier, but can also be used for network services such as firewalls and load balancers. With this deployment all links are active and can load share using a hashing algorithm.  In addition, there is only one hop to an active firewall from either aggregation node.

 

In the below example, a pair of redundant firewalls are deployed in a one-armed design.  They can be deployed as either active/active or active/passive.  The two firewall ports are configured as an aggregate group and connected to each MLX.

 

PAL_MCTWithPALFWAsClient.jpg

   Brocade MCT with Palo Alto Networks Firewalls as MCT Clients

 

Brocade MLX Configuration

 

Configuring Multi-chassis Trunking (MCT)

 

The MLX MCT configuration for MLX-1 and MLX-2 is described below.  Refer to the NetIron Configuration Guide for more details about creating and configuring MCT clusters.

The PAN firewall is attached to ports 2/8 on both MLXs.  A cluster client instance is created for the firewall on each MLX and is identified by a unique rbridge-id and physical port number.  Once deployed, the firewall connects to the MCT cluster as if it is a single logical switch.

Below are the configuration commands for MLX-1 and MLX-2.

 

----------

!MLX-1 Configuration

!

cluster MCT-CLUSTER 1

rbridge-id 100

session-vlan 4090

member-vlan 100 to 500

icl ICL ethernet 1/1

peer 12.12.12.2 rbridge-id 200 icl ICL

  client-interfaces delay 30

deploy

client PAN-FW

  rbridge-id 52

  client-interface ethernet 2/8

  deploy

----------

----------

!MLX-2 Configuration

!

cluster MCT-CLUSTER 1

rbridge-id 200

session-vlan 4090

member-vlan 100 to 500

icl ICL ethernet 1/1

peer 12.12.12.1 rbridge-id 100 icl ICL

  client-interfaces delay 30

deploy

client PAN-FW

  rbridge-id 52

  client-interface ethernet 2/8

  deploy

----------

The links going to the firewall are tagged to carry VLANs 110 and 111.

 

Configuring VRRP-E

Additionally, VRRP-E is configured on the Virtual Ethernet (VE) interfaces for these two VLANs. Without Policy Based Routing, traffic would be routed through directly connected routes on the MLX and no traffic would be forwarded to the firewall. The objective is to use PBR to route desired traffic from VLAN 110 to VLAN 111 through the firewall but allow other traffic to be forwarded directly through the network.

Below are the configuration commands for MLX-1 and MLX-2.

 

----------

!

!MLX-1 Configuration

!

vlan 110 name FW-IN

tagged ethe 1/1 ethe 2/1 ethe 2/8

router-interface ve 110

!

vlan 111 name FW-OUT

tagged ethe 1/1 ethe 2/1 ethe 2/8

router-interface ve 111

interface ve 110

port-name FW-IN

ip ospf area 0

ip address 192.168.110.253/24

ip vrrp-extended vrid 110

  backup priority 50

  ip-address 192.168.110.1

  advertise backup

  short-path-forwarding

  activate

!

interface ve 111

port-name FW-OUT

ip ospf area 0

ip address 192.168.111.253/24

ip vrrp-extended vrid 111

  backup

  ip-address 192.168.111.1

  advertise backup

  short-path-forwarding

  activate

----------

----------

!

!MLX-2 Configuration

!

vlan 110 name FW-IN

tagged ethe 1/1 ethe 2/1 ethe 2/8

router-interface ve 110

!

vlan 111 name FW-OUT

tagged ethe 1/1 ethe 2/1 ethe 2/8

router-interface ve 111

interface ve 110

port-name FW-IN

ip ospf area 0

ip address 192.168.110.254/24

ip vrrp-extended vrid 110

  backup

  ip-address 192.168.110.1

  advertise backup

  short-path-forwarding

  activate

!

interface ve 111

port-name FW-OUT

ip ospf area 0

ip address 192.168.111.254/24

ip vrrp-extended vrid 111

  backup priority 50

  ip-address 192.168.111.1

  advertise backup

  short-path-forwarding

  activate

----------

Configuring Policy Based Routing

 

In this deployment example, we will demonstrate the use of PBR to direct some traffic through the firewall while allowing other traffic directly into the network.

There are three steps to configuring Policy Based Routing.

  • Create an ACL for traffic that you want to route using PBR
  • Create a route-map that matches on the ACL and sets the route information
  • Apply the route-map to an interface

First we create an access list that defines which traffic we wish to route through the firewall.  In this example, we are matching on any IP traffic coming from the 133.33.0.0/16 subnet.

 

----------

telnet@MLX-1(config)# access-list 123 permit ip any 133.33.0.0 0.0.255.255

----------

Next, we create a route-map that will specify the routing information for traffic matched by the ACL. Here, we define the next hop to be the firewall.

----------

telnet@MLX-1(config)#route-map fw-in permit 123

telnet@MLX-1(config-routemap fw-in)#match ip address 123

telnet@MLX-1(config-routemap fw-in)#set ip next-hop 192.168.110.2

telnet@MLX-1(config-routemap fw-in)#^Z
----------

The final step is to apply route-map to interface.  We can apply the route-map to physical or virtual interfaces.  In this example, we apply the route-map to the physical interface that is cabled to the core router in our network.  Note: this must be applied to interfaces on both MLXs in the MCT cluster.

----------

telnet@MLX-1(config)#int ethernet 1/4

telnet@MLX-1(config-if-e10000-1/4)#ip policy route-map fw-in

telnet@MLX-1(config-if-e10000-1/4)#^Z

----------

Now, any traffic coming into the network matching the ACL will be forwarded in hardware to the Palo Alto firewall. Depending on the host or network configuration, it may be necessary to setup an outbound policy so that returning traffic will also pass through the firewall. The same process can be used to do this.

 

PAL_IncomingTrafficRoutedToFW.jpg

   Incoming traffic matching an ACL is forwarded to Palo Alto Networks Firewall

Contributors