We are looking to convert our DMZ to a private VLAN. After getting a functional lab setup, the requirements changed and now we need to allow certain traffic between devices on the PVLAN. It seems like the usual method to accomplish this is to enable 'proxy arp' on the upstream router connected to the promiscuous port. We are connected to a Palo Alto which doesn't have this feature. Additionally, I ran a PCAP on the PA and it isn't seeing broadcast traffic anyways so this workaround wouldn't work with our current setup anyways. I looked further into documentation on this and found this on an HP article about PVLANs:
"For one Community VLAN member to communicate with a different Community VLAN member, the Community Port traffic has to go out the uplink to the Primary VLAN."
This sounds like traffic between devices on a community first needs to exit the promiscuous port and hit the upstream router, so I tested this as well by setting up two devices on the same community (VLAN 12) as well as two devices on different communities (VLAN 12 & 13). I didn't find this to be the case as traffic never hit the PA and was either blocked or allowed on the switch level.
Any ideas on what I could be doing wrong here, or a workaround I could implement to accomplish this? General setup below:
Switch 1 (6300)
vlan 10 private-vlan primaryvlan 11 private-vlan isolated primary-vlan 10vlan 12 private-vlan community primary-vlan 10vlan 13 private-vlan community primary-vlan 10
int 1/1/1-1/1/2 (Isolated user ports)
vlan access 11
private-vlan port-type secondary
int 1/1/3-1/1/4 (Community user ports)
vlan access 12
int 1/1/5-1/1/6 (Community 2 user ports)
vlan access 13
int 1/1/24 (Link to Palo Alto)
vlan trunk native 1
vlan trunk allowed 10
private-vlan port-type promiscuous
eth1/1.10ip address 192.168.0.1 255.255.255.0
A good start would be this video, which has at 03:07 a diagram of how PVLAN works in CX Switching. What you found in HP documentation may be obsolete as it probably refers to different switch types.
It's unlikely that your Palo Alto will do L2 switching within the VLAN, nor it will receive the L2 traffic for other devices in the same VLAN. From the diagram in the video:
Note that this can become very messy and hard to troubleshoot. Another option is to create additional VLANs and let the firewall L3 route between those for more granular control and better visibilty/logging.
Traffic between systems in the same VLAN will not flow over a gateway/router, but direct between the systems. Not fully sure about the statement that you found as it confuses me as well.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.