Nile Segments Mapping to FW Zones

introduction this document provides a solution using a 3rd party intermediate l3 switch to satisfy both the nile l3 design and the firewalls use of incoming tagged lan traffic segmented by security zones the following proof of concept breaks down the solution into three parts nile nsb provisioning palo alto firewall configuration of a trunk uplink interface and security zones mapped to each vlan in the trunk cisco 3750 configuration acting as the nile nsb uplink and mapping nile segments to different vlans on a trunk port to the palo alto firewall topology nile nsb configuration nsb provisioning nile segments true false 308false center unhandled content type false center unhandled content type false center unhandled content type false center unhandled content type false center unhandled content type false center unhandled content type false center unhandled content type false center unhandled content type palo alto firewall configuration ui pertinent screenshots pan cli pertinent configuration set network interface ethernet ethernet1/1 layer3 ip 10 1 251 241/27 set network interface ethernet ethernet1/2 layer3 ndp proxy enabled no set network interface ethernet ethernet1/2 layer3 sdwan link settings upstream nat enable no set network interface ethernet ethernet1/2 layer3 sdwan link settings upstream nat static ip set network interface ethernet ethernet1/2 layer3 sdwan link settings enable no set network interface ethernet ethernet1/2 layer3 sdwan link settings ipv6 enable no set network interface ethernet ethernet1/2 layer3 lldp enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2 102 sdwan link settings upstream nat enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2 102 sdwan link settings enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2 102 sdwan link settings ipv6 enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2 102 ndp proxy enabled no set network interface ethernet ethernet1/2 layer3 units ethernet1/2 102 adjust tcp mss enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2 102 ip 192 168 0 9/30 set network interface ethernet ethernet1/2 layer3 units ethernet1/2 102 tag 102 set network interface ethernet ethernet1/2 layer3 units ethernet1/2 102 interface management profile ping set network interface ethernet ethernet1/2 layer3 units ethernet1/2 100 sdwan link settings upstream nat enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2 100 sdwan link settings enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2 100 sdwan link settings ipv6 enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2 100 ndp proxy enabled no set network interface ethernet ethernet1/2 layer3 units ethernet1/2 100 adjust tcp mss enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2 100 tag 100 set network interface ethernet ethernet1/2 layer3 units ethernet1/2 100 ip 192 168 0 1/30 set network interface ethernet ethernet1/2 layer3 units ethernet1/2 100 interface management profile ping set network interface ethernet ethernet1/2 layer3 units ethernet1/2 101 sdwan link settings upstream nat enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2 101 sdwan link settings enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2 101 sdwan link settings ipv6 enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2 101 ndp proxy enabled no set network interface ethernet ethernet1/2 layer3 units ethernet1/2 101 adjust tcp mss enable no set network interface ethernet ethernet1/2 layer3 units ethernet1/2 101 ip 192 168 0 5/30 set network interface ethernet ethernet1/2 layer3 units ethernet1/2 101 tag 101 set network interface ethernet ethernet1/2 layer3 units ethernet1/2 101 interface management profile ping set network interface ethernet ethernet1/2 layer3 ip 172 16 10 1/30 set network interface ethernet ethernet1/2 layer3 interface management profile ping set network virtual router default interface \[ ethernet1/1 ethernet1/2 ethernet1/2 100 ethernet1/2 101 ethernet1/2 102 ] set network virtual router default routing table ip static route primary default nexthop ip address 10 1 251 225 set network virtual router default routing table ip static route primary default bfd profile none set network virtual router default routing table ip static route primary default metric 10 set network virtual router default routing table ip static route primary default destination 0 0 0 0/0 set network virtual router default routing table ip static route nile gtw1 nexthop ip address 172 16 10 2 set network virtual router default routing table ip static route nile gtw1 bfd profile none set network virtual router default routing table ip static route nile gtw1 interface ethernet1/2 set network virtual router default routing table ip static route nile gtw1 metric 10 set network virtual router default routing table ip static route nile gtw1 destination 172 16 0 0/30 set network virtual router default routing table ip static route nile gtw1 route table unicast set network virtual router default routing table ip static route nile guest nexthop ip address 192 168 0 10 set network virtual router default routing table ip static route nile guest bfd profile none set network virtual router default routing table ip static route nile guest interface ethernet1/2 102 set network virtual router default routing table ip static route nile guest metric 10 set network virtual router default routing table ip static route nile guest destination 192 168 102 0/24 set network virtual router default routing table ip static route nile guest route table unicast set network virtual router default routing table ip static route nile infra nexthop ip address 172 16 10 2 set network virtual router default routing table ip static route nile infra bfd profile none set network virtual router default routing table ip static route nile infra interface ethernet1/2 set network virtual router default routing table ip static route nile infra metric 10 set network virtual router default routing table ip static route nile infra destination 172 16 1 0/24 set network virtual router default routing table ip static route nile infra route table unicast set network virtual router default routing table ip static route nile sensors nexthop ip address 172 16 10 2 set network virtual router default routing table ip static route nile sensors bfd profile none set network virtual router default routing table ip static route nile sensors interface ethernet1/2 set network virtual router default routing table ip static route nile sensors metric 10 set network virtual router default routing table ip static route nile sensors destination 172 16 2 0/24 set network virtual router default routing table ip static route nile sensors route table unicast set network virtual router default routing table ip static route nile psk nexthop ip address 192 168 0 6 set network virtual router default routing table ip static route nile psk bfd profile none set network virtual router default routing table ip static route nile psk interface ethernet1/2 101 set network virtual router default routing table ip static route nile psk metric 10 set network virtual router default routing table ip static route nile psk destination 192 168 101 0/24 set network virtual router default routing table ip static route nile psk route table unicast set network virtual router default routing table ip static route nile dot1x nexthop ip address 192 168 0 2 set network virtual router default routing table ip static route nile dot1x bfd profile none set network virtual router default routing table ip static route nile dot1x interface ethernet1/2 100 set network virtual router default routing table ip static route nile dot1x metric 10 set network virtual router default routing table ip static route nile dot1x destination 192 168 100 0/24 set network virtual router default routing table ip static route nile dot1x route table unicast set network virtual router default routing table ip static route nile gtw2 nexthop ip address 172 16 10 2 set network virtual router default routing table ip static route nile gtw2 bfd profile none set network virtual router default routing table ip static route nile gtw2 interface ethernet1/2 set network virtual router default routing table ip static route nile gtw2 metric 10 set network virtual router default routing table ip static route nile gtw2 destination 172 16 0 4/30 set network virtual router default routing table ip static route nile gtw2 route table unicast set network virtual router default ecmp algorithm ip modulo set zone untrust network layer3 ethernet1/1 set zone nile nsb network layer3 ethernet1/2 set zone nile guest network layer3 ethernet1/2 102 set zone nile psk network layer3 ethernet1/2 101 set zone nile dot1x network layer3 ethernet1/2 100 set rulebase security rules "nile nsb to internet" to untrust set rulebase security rules "nile nsb to internet" from \[ nile dot1x nile guest nile nsb nile psk ] set rulebase security rules "nile nsb to internet" source any set rulebase security rules "nile nsb to internet" destination any set rulebase security rules "nile nsb to internet" source user any set rulebase security rules "nile nsb to internet" category any set rulebase security rules "nile nsb to internet" application any set rulebase security rules "nile nsb to internet" service any set rulebase security rules "nile nsb to internet" source hip any set rulebase security rules "nile nsb to internet" destination hip any set rulebase security rules "nile nsb to internet" action allow set rulebase security rules "nile nsb to internet" log start no set rulebase security rules "nile nsb to internet" log end yes set rulebase security rules block guest to internal to \[ nile dot1x nile nsb nile psk ] set rulebase security rules block guest to internal from nile guest set rulebase security rules block guest to internal source any set rulebase security rules block guest to internal destination any set rulebase security rules block guest to internal source user any set rulebase security rules block guest to internal category any set rulebase security rules block guest to internal application any set rulebase security rules block guest to internal service application default set rulebase security rules block guest to internal source hip any set rulebase security rules block guest to internal destination hip any set rulebase security rules block guest to internal action deny set rulebase security rules block guest to internal log start no set rulebase security rules block guest to internal log end yes set rulebase nat rules "src nat to internet" source translation dynamic ip and port interface address ip 10 1 251 241/27 set rulebase nat rules "src nat to internet" source translation dynamic ip and port interface address interface ethernet1/1 set rulebase nat rules "src nat to internet" to untrust set rulebase nat rules "src nat to internet" from \[ nile dot1x nile guest nile nsb nile psk ] set rulebase nat rules "src nat to internet" source any set rulebase nat rules "src nat to internet" destination any set rulebase nat rules "src nat to internet" service any set rulebase nat rules "src nat to internet" to interface ethernet1/1 set import network interface \[ ethernet1/2 ethernet1/2 102 ethernet1/2 100 ethernet1/2 101 ] cisco 3750 configuration ! version 15 2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password encryption service unsupported transceiver ! hostname mm 3750 ! boot start marker boot end marker ! ! vrf definition mgmt ! address family ipv4 exit address family ! logging buffered 51200 logging console critical logging monitor informational ! username admin privilege 15 password 0 nile123! no aaa new model clock timezone pst 8 0 clock summer time pdt recurring switch 1 provision ws c3750x 48p system mtu routing 1500 ! no ip source route ip routing ! ip vrf mgmt ! ! no ip domain lookup ip domain name mmoussa com ! ! crypto pki trustpoint tp self signed 2643279232 enrollment selfsigned subject name cn=ios self signed certificate 2643279232 revocation check none rsakeypair tp self signed 2643279232 ! ! crypto pki certificate chain tp self signed 2643279232 certificate self signed 01 3082022b 30820194 a0030201 02020101 300d0609 2a864886 f70d0101 05050030 31312f30 2d060355 04031326 494f532d 53656c66 2d536967 6e65642d 43657274 69666963 6174652d 32363433 32373932 3332301e 170d3036 30313032 30303032 30365a17 0d323030 31303130 30303030 305a3031 312f302d 06035504 03132649 4f532d53 656c662d 5369676e 65642d43 65727469 66696361 74652d32 36343332 37393233 3230819f 300d0609 2a864886 f70d0101 01050003 818d0030 81890281 81008d52 563048f3 30480bdc 6ff17cdc cda19804 a319b2b8 f1cf16dc 05d35026 0d558f97 48aa1c70 a8ebee30 2741fd5b 7a7398ef 6320710c 70ec555c 03496731 6ba6b046 58472ba4 a6e88895 1e8aa645 9995919c ca2a97ef 35045cd8 6be029be 993c4722 450739ce c97ac621 25b362a3 5a87ab67 8e64f909 cae159f3 1a28fdaa bebd0203 010001a3 53305130 0f060355 1d130101 ff040530 030101ff 301f0603 551d2304 18301680 141e4b20 49c74924 7916c386 8603a069 802a6af5 68301d06 03551d0e 04160414 1e4b2049 c7492479 16c38686 03a06980 2a6af568 300d0609 2a864886 f70d0101 05050003 8181003e 8257c458 d45ad4b2 ea28edc3 3c0bcd4d e4c8c080 9d9bfd5a 27f9e581 f6d23daa aba778f6 47240e6f e166591f fba952bf ef36e843 56c07d6c 55a53ceb d6b6ded9 96fc01b6 5d1b0367 06e5e4c9 e0635677 7000a9f6 52f05003 0261752e a827d9ba d5131ee7 563ea77f bd8be6a3 2f6eb255 9f26d854 333ba225 e5ca4d73 818174 quit license boot level ipservices ! ! spanning tree mode rapid pvst spanning tree extend system id no spanning tree vlan 10 12,31,38,253 ! ! vlan internal allocation policy ascending no cdp run ! ! interface fastethernet0 vrf forwarding mgmt ip address 10 1 250 84 255 255 255 0 no ip route cache ! ! interface gigabitethernet1/0/37 no switchport ip address 172 16 0 1 255 255 255 252 ip policy route map nsb map ! interface gigabitethernet1/0/38 no switchport ip address 172 16 0 5 255 255 255 252 ip access group blackout in ip policy route map nsb map ! ! interface gigabitethernet1/0/48 switchport trunk allowed vlan 10,100 102 switchport trunk encapsulation dot1q switchport trunk native vlan 10 switchport mode trunk spanning tree portfast edge ! ! interface vlan1 no ip address ! interface vlan10 ip address 172 16 10 2 255 255 255 252 ! interface vlan100 ip address 192 168 0 2 255 255 255 252 ! interface vlan101 ip address 192 168 0 6 255 255 255 252 ! interface vlan102 ip address 192 168 0 10 255 255 255 252 ! router ospf 10 network 172 16 0 0 0 0 0 3 area 0 network 172 16 0 4 0 0 0 3 area 0 default information originate always route map nsb map ! ip forward protocol nd ! ! no ip http server no ip http secure server ip route 0 0 0 0 0 0 0 0 172 16 10 1 10 ip route vrf mgmt 0 0 0 0 0 0 0 0 10 1 250 1 ip ssh time out 60 ip ssh source interface fastethernet0 ip ssh server algorithm encryption 3des cbc aes128 cbc aes256 cbc aes256 ctr ip ssh server algorithm authentication password keyboard publickey ! ip access list standard management permit 10 127 134 0 0 0 0 255 permit 10 0 0 0 0 255 255 255 ! ip access list extended blackout permit ip 172 16 0 0 0 0 0 3 any permit ip 172 16 0 4 0 0 0 3 any permit ip 172 16 1 0 0 0 0 255 any permit ip 172 16 2 0 0 0 0 255 any permit ip 192 168 100 0 0 0 0 255 any permit ip 192 168 101 0 0 0 0 255 any permit ip 192 168 102 0 0 0 0 255 any deny ip any any ip access list extended dot1x acl permit ip 192 168 100 0 0 0 0 255 any ip access list extended guest acl permit ip 192 168 102 0 0 0 0 255 any ip access list extended nsb acl permit ip 172 16 0 0 0 0 0 3 any permit ip 172 16 1 0 0 0 0 255 any permit ip 172 16 2 0 0 0 0 255 any permit ip 172 16 0 4 0 0 0 3 any ip access list extended psk acl permit ip 192 168 101 0 0 0 0 255 any ! logging trap warnings ! route map nsb map permit 10 match ip address nsb acl set ip next hop 172 16 10 1 ! route map nsb map permit 100 match ip address dot1x acl set ip next hop 192 168 0 1 ! route map nsb map permit 101 match ip address psk acl set ip next hop 192 168 0 5 ! route map nsb map permit 102 match ip address guest acl set ip next hop 192 168 0 9 ! ! line con 0 password nile123! logging synchronous login local line vty 0 4 exec timeout 30 0 logging synchronous login local transport preferred none transport input ssh line vty 5 15 login ! ntp server vrf mgmt 152 70 159 102 ! end