Wired Intelligent Edge

We are looking to convert our DMZ to a private VLAN. After getting a functional lab setup, the requirements changed and now we need to allow certain traffic between devices on the PVLAN. It seems like the usual method to accomplish this is to enable 'proxy arp' on the upstream router connected to the promiscuous port. We are connected to a Palo Alto which doesn't have this feature. Additionally, I ran a PCAP on the PA and it isn't seeing broadcast traffic anyways so this workaround wouldn't work with our current setup anyways. I looked further into documentation on this and found this on an HP article about PVLANs:

"For one Community VLAN member to communicate with a different Community VLAN member, the Community Port traffic has to go out the uplink to the Primary VLAN."

This sounds like traffic between devices on a community first needs to exit the promiscuous port and hit the upstream router, so I tested this as well by setting up two devices on the same community (VLAN 12) as well as two devices on different communities (VLAN 12 & 13). I didn't find this to be the case as traffic never hit the PA and was either blocked or allowed on the switch level.

Any ideas on what I could be doing wrong here, or a workaround I could implement to accomplish this? General setup below:

Switch 1 (6300)

vlan 10
   private-vlan primary
vlan 11
    private-vlan isolated primary-vlan 10
vlan 12
    private-vlan community primary-vlan 10
vlan 13
    private-vlan community primary-vlan 10

int 1/1/1-1/1/2 (Isolated user ports)

vlan access 11

private-vlan port-type secondary

 

int 1/1/3-1/1/4 (Community user ports)

vlan access 12

private-vlan port-type secondary

int 1/1/5-1/1/6 (Community 2 user ports)

vlan access 13

private-vlan port-type secondary

int 1/1/24 (Link to Palo Alto)

vlan trunk native 1

vlan trunk allowed 10

private-vlan port-type promiscuous

Palo Alto

eth1/1.10
ip address 192.168.0.1 255.255.255.0

A good start would be this video, which has at 03:07 a diagram of how PVLAN works in CX Switching. What you found in HP documentation may be obsolete as it probably refers to different switch types.

It's unlikely that your Palo Alto will do L2 switching within the VLAN, nor it will receive the L2 traffic for other devices in the same VLAN. From the diagram in the video:

• Put devices that only need to communicate to the default gateway in an isolated secondary VLAN.
• Put devices that need to communicate between each other directly (L2) in the same community secondary VLAN. You can have multiple community VLANs if you need to have different groups of systems that need to communicate between them, to the promiscuous ports (your firewall), but not to any systems in other communities or isolated VLANs.
• Put your Palo Alto in the primary VLAN (promiscuous).

Note that this can become very messy and hard to troubleshoot. Another option is to create additional VLANs and let the firewall L3 route between those for more granular control and better visibilty/logging.

Traffic between systems in the same VLAN will not flow over a gateway/router, but direct between the systems. Not fully sure about the statement that you found as it confuses me as well.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------