Disclaimer:
The information provided in this guide is for educational and informational purposes only. It is provided “as is” without any representations or warranties, express or implied. You are using this information at your own risk. The author assumes no responsibility for any loss, damage, or issues arising from the use or misuse of the content provided.
Here’s a step-by-step plan to complete your initial configuration for both Palo Alto PA-440 (via WebUI) and Cisco Catalyst 3750X:
⸻
🔧 Palo Alto PA-440 Configuration via WebUI
1. WAN Interface Setup (e.g., ethernet1/1)
• Network > Interfaces > Ethernet1/1
• Interface Type: Layer3
• Virtual Router: default
• Security Zone: Untrust
• IP: 4.37.142.188/29
• Network > Virtual Routers > default > Static Routes
• Add default route:
• Destination: 0.0.0.0/0
• Next Hop: 4.37.142.185
• Interface: ethernet1/1
⸻
2. VLAN1 LACP Interface (10.0.0.0/24)
a. Create Aggregate Interface (ae1)
• Network > Interfaces > Aggregate Ethernet > ae1
• Interface Type: Layer3
• Virtual Router: default
• Security Zone: VLAN1
• IP Address: 10.0.0.254/24
b. Assign Physical Interfaces (e.g., ethernet1/2, ethernet1/3)
• For ethernet1/2 and 1/3:
• Set Interface Type: Aggregate Group
• Set Aggregate Group: ae1
⸻
3. VLAN2 LACP Interface (10.10.10.0/24)
a. Create Aggregate Interface (ae2)
• Network > Interfaces > Aggregate Ethernet > ae2
• Interface Type: Layer3
• Virtual Router: default
• Security Zone: VLAN2
• IP Address: 10.10.10.254/24
b. Assign Physical Interfaces (e.g., ethernet1/4, ethernet1/5)
• For ethernet1/4 and 1/5:
• Set Interface Type: Aggregate Group
• Set Aggregate Group: ae2
⸻
4. Enable DHCP on VLAN1
• Network > DHCP > DHCP Server
• Interface: ae1
• IP Pool: 10.0.0.100–10.0.0.200
• Gateway: 10.0.0.254
• Primary DNS: 8.8.8.8
• Secondary DNS: 8.8.4.4
⸻
5. Allow Inter-VLAN Routing (Ports 22 and 443)
• Policies > Security > Add
• Name: VLAN1-to-VLAN2
• Source Zone: VLAN1
• Destination Zone: VLAN2
• Application: ssh, ssl
• Service: application-default
• Action: allow
• Policies > Security > Add
• Name: VLAN2-to-VLAN1
• Same as above, just reversed source/destination
⸻
🔧 Cisco Catalyst 3750X Configuration (CLI)
6. Base Config (hostname, SSH, etc.)
enable
configure terminal
hostname SWITCH
ip domain-name local
crypto key generate rsa modulus 2048
username admin privilege 15 secret YourStrongPassword
line vty 0 4
login local
transport input ssh
exit
⸻
7. VLANs
vlan 10
name VLAN1
vlan 20
name VLAN2
exit
⸻
8. Assign Ports to VLANs (split 24-port switch)
interface range GigabitEthernet1/0/1 - 12
switchport mode access
switchport access vlan 10
interface range GigabitEthernet1/0/13 - 24
switchport mode access
switchport access vlan 20
⸻
9. LACP to Palo Alto (2 ports per LACP group)
a. VLAN1 LACP
interface range GigabitEthernet1/0/25 - 26
channel-group 1 mode active
exit
interface Port-channel1
switchport mode trunk
switchport trunk allowed vlan 10
b. VLAN2 LACP
interface range GigabitEthernet1/0/27 - 28
channel-group 2 mode active
exit
interface Port-channel2
switchport mode trunk
switchport trunk allowed vlan 20
⸻
✅ Verification
10. Laptop on VLAN1
• Connect to access port in VLAN1 range.
• Check IP assignment (DHCP).
• Ping 10.0.0.254, then 8.8.8.8 to confirm Internet access.
11. Test VLAN-to-VLAN Routing
• Windows NUC in VLAN1: ping Debian NUC in VLAN2 on port 443 or SSH.
• Ensure policies on Palo Alto allow this traffic.