Policy Based Routing Configurations 6500 and 4948 Switches

Similar Questions

• Defining a router and 2 switches in a network

  Hello!

  I have a question, please reply as soon as possbile.

  Look, I'm new in routing, just lerning, CCNA Discovery course, there is the problem:

  

  well, I'll put in place a ROUTER and 2 switches, I have set up in terminal:
  the end result, we have:
  ETH 0/0 (from where internet is coming) - IP - 192.168.100.200
  ETH 0/1 (inside the network) - IP - 192.168.80.1

  Also, I configured the same way ARP:
  Slash rip router (config) #.
  slash network (config - router) # 192.168.100.0 / / IF I understand ARP allows data transffer beetween networks and make it visible on the other

  slash network (config - router) # 192.168.80.0

  now, if the two devices end network (PC), I ping the ping works and the package was sent and received.
  !!!! THE PROBLEM IS > why I can't ping (PC0) 192.168.100.201 the 192.168.80.2 (PC1)
  the INVESTIGATION period was made.

  There are in tie my tracert schema package. Thx for the reply and attention!

  you have the default gateway configured on the two PCs?

• OfficeJet 6500 and router Wireless does not connect

  I just bought an Officejet 6500 and try to connect to my wireless router.  Whenever I try to connect the printer to wireless it crashes.  The power button does not light, but the screen is lit without text.  At this point, I can't close or get it running again.  I am running Vista Business 64-bit, and the router is a 2wire 1800 HG through AT & T.  It works very well with a usb connection.

  Thanks in advance.  John

  I think you just meet a known issue with some printers of HP network with routers 2WIRE AT & T DSL.

  Have identified us the problem and will deploy an update in the future.  So far, the work around is to assign a static IP address to the printer. Here's a way to do this:

  1. Unplug the phone line from the 2WIRE router
  2. Cut the power to the 2WIRE router, wait 30 seconds, then turn on the power.
  3. Go through the normal process of the printer connected to the 2WIRE (Ethernet or Wi - Fi) device. The printer will not crash as long as the telephone line is disconnected from the 2WIRE device.
  4. The Officejet front panel, go to the menu of 'Advanced Setup' under 'network '.
  5. Select 'Settings of intellectual property', acknowledge receipt of the warning and select "" manual IP ".
  6. Select "IP address" and change the last group of IPS (byte) to something higher or lower. Specifically to your 2WIRE router, select 192.168.0.60.
  7. Press Ok and plug the phone line into the 2WIRE router.
   

• Start-up that is based on IP-hash and Beacon Probing

  Hi, I have a scenario where I have 2 adapters connected to a unique vswitch that contains 4 port groups

  in one of the port groups, I put to use a route based on IP-Hash policy to balance the load and on the political network Probing Beacon switch detection

  duplication of packets will affect all the vswitch or just traffic from this group of single port?

  will be very appreciate a response

  Thank you

  but will admit I have 3 configured cards, my question is if I substitute the configuration vSwitch on 1 single Port Group to use a road based on ownership intellectual-Hash to load balance and policy on politics of Beacon Probing for failover network at the same time the effect duplicate packet detection the other Port groups/vSwitch to communicate with?

  The beacons will be sent to the VLAN configured on this group of ports and not affect other groups of port failover settings.

  However, you should never, ever mix with other parameters on the same vSwitch to the IP-hash load balancing load balancing. To the physical switch just a single link with a unique load balancing, so either all of your groups of port on a single vSwitch must use IP-hash etherchannel/LAG, or none.

  Besides that the markup will not work with a hash IP balancing at all for the reasons that I mentioned above...

• NSX design with cisco UCS/fabric interconnects and Nexus switches

  Hi Experts

  I am new to NSX design and deployment and working on a project. We deploy NSX for applications of level 4 (web, app, db, DC). I use logic, DLR, ESG and DFW switches. I next we intend to use roads static confusion..

  1. do we cover all the VLAN from the virtual to the physical environment? for example mgmt VLAN, level vlans(web,app,db), vxlan transport vlan or it should be only a VLAN specific?  which means would be I have set all the VLANS in environment NSX in my physical switching environment?

  2 vds? don't we create not only 1 vds initially during the deployment of vcenter or more? Should we take any special consideration while deploying to the deployment of the NSX?

  3 static routes - we configure static routes on the DLR and the GSS? Should I use the default routes upstream? on the physical router should we be routing all subnets from virtual environment to the GSS.

  4. where and who should create virtual machines? Via vCenter or before the deployment of the nsx NSX?

  5. we have a level of domain controller. Should it be part of 3 or separate applications with allow any any rule on DFW?

  Thank you

  Sam

  (1) the VLANs which exist for physical Machines span the logical switch VXLAN NSX in the following cases:

  • If the current deployment there are physical Machines in the same Vlan and subnet IP with Virtual Machines. If this common Port Vlan group is migrated to a switch logic VXLAN Backed port group and not possible to change the IP addresses of the virtual machines, and then a bridge DLR (Distributed logical router) works as the conversion between Vlan physical and virtual VXLAN
  • If Conversion of P-to-V of the physical Machines continue on this Vlan

  VLAN which cover only the virtual machines or virtual local networks which cover only physical Machines must not be delayed.

  (2) for the deployment of the NSX, there may be more than 1 dVS or only 1 vDS according to the design. There may be another type of traffic other VXLAN base of virtual machines such as backup, storage, VMotion and the overall design, management, best practices apply here as well.  A requirement of the NSX is a common VDS that spans the entire Cluster. For each Cluster, this "common VDS' may be different. Yet once this VDS maybe a separate VDS dedicated VTEP or VTEP features functionality can be added to the existing VDS. It may be best to separate the VTEP vDS.

  (3) for the DLR, a default gateway is usually sufficient. If static routes are used, the GSS must then drive by default upstream and the static routes with the next hop of the DLR downstream for the subnets in the subnets IP VM logical switch. On the physical router static route to the VM, but also DLR - ESG logical subnets Subnet switch is required. Management of static routes is easier if route summarization is possible, or if necessary, close to the IP subnets, so it may be a good idea to use the dynamic routing such as Ospf or BGP protocol. There are also features of IP address management in Vrealize and other IPAM solutions if Automation is necessary for large and dynamic environments.

  (4) NSX has no functionality in the creation of the VM, it only creates Services network such as switches, routers, Firewalls, Load Balancing. The creation of the part VM continiues the same way as before. A point to note is maybe the logic is created appear as VXLAN named port groups on the VDS. NSX Manager creates groups of ports on the VDS, the only difference is that the name includes VXLAN. The virtual machine is like before added to this group of VXLAN Backed Port settings, or added to the logical switch from NSX Manager interface that appears again as a Plugin for VCenter. VCENTER is so point to create virtual machines and add these VMs to the logic is.

  (5) level of domain controller can be a separate layer, or other third party, may be preferable to upgrade separated except 3 applications. Usually, it's the same design without NSX. dFW rules can help protect the domain controller with allowing only ports of the virtual machine or physical Machines being admitted. dFW rules can apply to VXLAN based logical switches NSX so that VLAN based DVS Port groups because it's the kernel module.

• The incomplete 1941W Cisco router configuration

  Good day all.

  I was running a business of small ecommerce for the last 5 years on a Linksys wireless router. Now that I have more than 14 posts and 6 networked printers, it was time to take a step towards the top.

  I bought a 1941W SRI CISCO to take us to the Gigabit speed in the next decade with a CISCO switch. I assume that the 1941W, although robust with scalability, would provide the installation of it, simple as the product Linksys (Cisco) or at least a simple 1-2-3 How to get basic connections made. I was wrong and now I find that I have some difficulty to negotiate Internet on the router again.

  Included below is my config NVRAM. I hope someone could tell where I can have a few gaps in my config.

  Please note: this config is derived from an example on the net that seemed simple enough, so if you find yourself asking, "why did do that?", I hope that this provides the perspective.

  TEST router configuration
  28/07/2010

  Objective: Complete the basic configuration to connect (and ping) to the internet
  Problem: Cannot conect to the internet; Incomplete suspected configuration; Maybe bad config NAT or DNS issue
  Comments: In the process.

  TEXT OF HYPERTERMINAL CONNECTION TO THE CONSOLE:

  User access audit

  User name: admin
  Password:

  TESTROUTER > activate
  Password:
  TESTROUTER #ping 8.8.8.8

  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 8.8.8.8, time-out is 2 seconds:
  .....
  Success rate is 0% (0/5)

  TESTROUTER #show config
  With the help of 2615 off 262136 bytes
  !
  ! 01:33:34 CST configuration was last modified Thursday, July 29, 2010 by admin
  !
  version 15.0
  no service button
  tcp KeepAlive-component snap-in service
  a tcp-KeepAlive-quick service
  horodateurs service debug datetime msec show-time zone
  horodateurs service log datetime msec show-time zone
  encryption password service
  !
  hostname TESTROUTER
  !
  boot-start-marker
  boot-end-marker
  !
  logging buffered 16000
  recording console critical
  enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX
  enable password 7 XXXXXXXXXXXXXXXX
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  the AAA authentication enable default
  !
  !
  !
  !
  !
  AAA - the id of the joint session
  iomem 10 memory size
  clock timezone CST - 6
  Service-module wlan-ap 0 autonomous bootimage
  !
  No ipv6 cef
  no ip source route
  inaccessible 2000 IP icmp rate-limit
  IP icmp rate-limit unreachable DF 2000
  IP cef
  !
  !
  !
  !
  no ip bootp Server
  no ip domain search
  8.8.8.8 IP name-server
  IP-server names 8.8.4.4
  name of the IP-server 209.18.47.61
  name of the IP-server 209.18.47.62
  Authenticated MultiLink bundle-name Panel
  !
  !
  !
  license udi pid CISCO1941W-A/K9 sn XXXXXXXXXXX
  ISM HW-module 0
  !
  !
  !
  admin password username 7 XXXXXXXXXXXX
  !
  !
  !
  !
  !
  !
  interface GigabitEthernet0/Wlan-0
  Description interface connecting to the AP the switch embedded internal
  Shutdown
  !
  interface GigabitEthernet0/0
  Description of connection to the internet to transfer Ethernet/fiber TWC (ISP)
  address IP AA. BB. CC.149 255.255.255.0
  IP access-group 115 to
  no ip unreachable
  no ip proxy-arp
  NAT outside IP
  IP virtual-reassembly
  no ip-cache cef route
  no ip route cache
  automatic duplex
  automatic speed
  No cdp enable
  !
  wlan-ap0 interface
  description of the Service interface module to manage the embedded AP
  no ip address
  ARP timeout 0
  No mop enabled
  No mop sysid
  !
  interface GigabitEthernet0/1
  Internal description of the connection to the local network
  IP 10.10.10.1 255.255.255.0
  IP access-group 116 to
  no ip proxy-arp
  IP nat inside
  IP virtual-reassembly
  no ip-cache cef route
  no ip route cache
  automatic duplex
  automatic speed
  No cdp enable
  No mop enabled
  !
  interface Vlan1
  no ip address
  Shutdown
  !
  IP forward-Protocol ND
  !
  no ip address of the http server
  no ip http secure server
  !
  IP nat inside source list 1 interface GigabitEthernet0/0 overload
  IP route 0.0.0.0 0.0.0.0 AA. ABM CC.1
  IP route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
  !
  access-list 1 permit 0.0.0.0 255.255.255.0
  access-list 115 deny ip 127.0.0.0 0.255.255.255 everything
  !
  not run cdp

  !
  !
  control plan
  !
  !
  Line con 0
  line to 0
  line 67
  no activation-character
  No exec
  preferred no transport
  transport of entry all
  transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
  line vty 0 4
  password 7 XXXXXXXXXXXXXX
  !
  Scheduler allocate 20000 1000
  end

  TESTROUTER #.

  END OF HYPERTERMIAL TO THE TEXT OF THE CONSOLE

  Thanks in advance to those who consider a response.

  Daniel

  Daniel

  You have a LCD 115 on the external interface and it is just a line in this acl which is a refusal. Be aware that an acl has implicit deny all the end anyway so basically that this acl blocking all incoming which responses return icmp (ping) traffic. Because you run the command ping to the router using an IP address not not a DNS then NAT or DNS name is a problem at present.

  I suggest that rewrite you the acl - 115

  access-list 115 permit icmp host 8.8.8.8 entire echo response

  and test again with your ping. If it works then it's the acl that is the problem and you need to write your acl so that is what you want to allow before that you want to deny.

  Jon

• local policy IP - router head DMVPN

  Hey guys,.

  On my head DMVPN router (3845 - 151 - 4.M2 running), I learn a default route to the inner core that I want to talk the distance learning via EIGRP (internet access is through the tunnel and thru head f / w).  And to avoid having a static route configured for remote public IP address, pointing to the internet router, I tried to use a local policy to set the next hop for all internet router-to-router VPN traffic.  However, when I delete the static electricity to the remote control, I lose the remote peer and it seems that local politics is not engaged.  Any help would be appreciated...

  interface Loopback0

  10.103.255.1 the IP 255.255.255.255

  !

  interface Tunnel10

  bandwidth 10000

  IP 10.103.254.1 255.255.255.0

  no ip redirection

  IP 1400 MTU

  no ip next-hop-self eigrp 1

  property intellectual PNDH authentication xxx

  dynamic multicast of IP PNDH map

  PNDH id network IP-100

  property intellectual PNDH holdtime 600

  the PNDH IP forwarding

  IP tcp adjust-mss 1360

  no ip split horizon eigrp 1

  source of tunnel GigabitEthernet0/1

  multipoint gre tunnel mode

  tunnel key 1234

  Tunnel ipsec DMVPN-PROFILE protection profile

  !

  interface GigabitEthernet0/0

  Routed to core description link

  IP 10.100.160.105 255.255.255.252

  automatic duplex

  automatic speed

  media type rj45

  !

  interface GigabitEthernet0/1

  Description link to outer segment

  1.1.1.4 IP address 255.255.255.0

  automatic duplex

  automatic speed

  media type rj45

  !

  Router eigrp 1

  Network 10.100.160.104 0.0.0.3

  Network 10.103.254.0 0.0.0.255

  Network 10.103.255.1 0.0.0.0

  passive-interface default

  no passive-interface Tunnel10

  no passive-interface GigabitEthernet0/0

  EIGRP router id 10.103.255.1

  !

  vpn-traffic extended IP access list

  allow an esp

  allow udp any any eq isakmp

  permit any any eq non500-isakmp udp

  route vpn-default allowed 10 map

  Default route description to the Internet for encrypted traffic

  vpn traffic game - ip address

  set ip next-hop 1.1.1.2

  !

  IP local policy default map route vpn

  Dave,

  I think we'll do the responsible thing here and separate the termination and the traffic tunneled in VRF (VRF-lite).

  You can put gig0/1 in a VRF and leave everything on a global scale (do not forget to add "tunnel vrf... "on the tunnel interface.

  Result - separation overlay and transport - you can have two default routes, one for connectivity to the rays, one for traffic to the tunnel.

  Marcin

• Some doubts about 11g R2 Policy Based/Scan

  Hello
  
  I went through several documents, including the help of Oracle to understand oracle new feature Policy Based management/Scan, I also explored a few RACSIG Webinar by Markus which were useful, but still not able to understand the concept. I will be grateful if someone can help me understand the concept if you please.
  
  Written document - the advantage of the creation of a pool of servers (policy) is to manage the workload automatically. I do not understand how it will manage the workload automatically. I understand according to importance and setting min/max, the servers will allocate/deallocate pools as a result.
  
  For example - is a server pool: high_priority pool with min 2 servers. first and foremost, he is serving 2 instance of database on payroll
  another pool of servers: low_priority pool with min 2 servers with low priority, he is serving 2 HR database instance
  
  In this case, any expelled obtained high_priority server, it should take only one low_priority server. (That's what expression I so far after going through the documentation. Please correction if I'm mistaken).
  
  1st question: doest which means that he's going to stop a case of HR running on low_priority pool and will allocate for this server at high_priority
  and as a result instance payroll goes up.
  
  2nd question: can still reach TAF feature using server pools. That is, I read that I can have a uniform service that runs on all instances
  (I guess that means favorite)... or the service can run on any single server (singletone)
  
  
  question 3: feature with SCAN, where we put remote_listener = SCAN_LISTENER, and clients will connect first to the SCAN and then had diversion to local listener.
  What is the advantage to have VIP for each node. SCAN listener knows which instance is in place, which is the less loaded can connections directly to the front
  local listener. (we can start using public ip for listener)
  
  my doubt is: 10 g, we only used vip to get quick notification or avoid tcp timeout... and then we got to redirect to some other listener/node to connect
  now SCAN can do the same features...
  
  Thank you in advance, I thank your time.
  
  Kind regards
  Lyxx

  Hello

  In this case, any expelled obtained high_priority server, it should take only one low_priority server. (That's what expression I so far after going through the documentation. Please correction if I'm mistaken).

  Yes, that is the correct hypothesis.

  1.) Yes. The instance of database that HR will be stopped and a third instance of payroll will start.
  2 TAF.) will work for uniform and singleton services. However if you don't have 1 server in the serverpool (or have a singleton service) that there is no sense to work with preconnect.
  Note: TAF time varies based on uniform/singleton service and needs if service failover will need time so that it starts an instance. If you must configure TAF for such services with new higher attempts.
  (3.) the SCAN will redirect the customer to use the VIP for the final sign in the local listener. If it would use the public IP address and the server fails in exactly this moment, the client would wait for the TCP/IP timeout (which may take some time).
  With the VIP, he will tell him immediately, report that its connect has been unsuccessful and rerun the ANALYSIS to get a new connection.

  While the SCAN done the same thing in case of a change of itinerary as the VIP there 2 advantages:
  a.) no matter what your cluster, you must always 3 SCANs.
  (b) and they stay the same, no matter if the cluster has changed. (The VIPs are).

  Concerning
  Sebastian

• HP 6500 Office Jet: is there a difference between an office jet 6500 and the other with a 'a' or 'more '.

  Hello, first post here.

  They gave me an office jet 6500 without the cd rom set up the disc. The Unit came with 4 new cartridges. Started trying to get to the top and running and first it attracts not paper. Checked this site and resolved that. (temporaily?) Then saw that it was low out of ink. Installed the new trolleys. Colors work very well, but not black.

  I have no cd rom for this and not manual.

  I see that you can download the establishment, but was intrigued by the mention of a 6500 and 6500 more, not sure I have those. On the front it says "HP office jet 6500 wireless.

  So I guess I have to run the cleaning jet. I started scrolling menu, but was rerouted it says there is no connected computer. Do I need to clean the jets?

  I could shoot for today with a work properly stand-alone copy/printer. But I would not mind at all followed with setting up wireless on my sony pcv-rx752 pc. We use at + t here with a wireless router.

  Hello

  First, click on the install button, select network and follow the Wireless Setup Wizard to connect the printer to your home network.

  Then download and install the following drivers for wireless HP Officejet 6500 (E709n) model:

  The 6500 has a different model then one you have...

  http://h10025.www1.HP.com/ewfrf/wc/softwareDownloadIndex?softwareitem=MP-77752-3 & CC = US & DLC = in & LC = on & os = 228 & productOid = 3795393 & sw_lang =

  Shlomi

• R6220 routing between WIFI and LAN stops

  Hello

  I use the wifi netgear R6220 router. I have a few devices connected using LAN: TV, surveillance and desktop computer, but the computer is available only if UPS is running.

  TV is configured using DHCP, but has implemented monitoring static ip = 10.0.0.125.

  DHCP is configured to allow the address 10.0.0.2 - 10.0.0.50.

  the router configuration is reset to the factory, and only the LAN and DHCP address pool address has changed.

  Problem is that, after awhile, I cannot ping 10.0.0.125 (supervisory) WiFi.

  After that the router has been rrestarted and configured, it works for a while, and the next day I try to check video surveillance and ping do not work...

  I checked Wifi 2.4 and 5G.

  I also updated firmwqare to the last.

  Do anyone know of this problem, because I do not know if I would come back to router for seller or not.

  Thanks in advance.

  Peter.

  Forget the static use address reservations.

• PXI-5421 Signal routing to PFI4 and PFI5

  Hello

  I am trying to route bits 0 and 1 of a waveform I generated using a PXI-5421 AWG group work PFI5 and PFI4 respectively for the ports. What seems to happen, this is the first installation is written the second set so that only one PFI port is set up. I've attached a screenshot of a section of the configuration of the VI. Can two bits of a waveform being routed to two ports separated the IFP at the same time?

  Thank you

  Steve

  Hi Steve,.

  Yes.  There is data on the PXI-5421 4 markers, and each can be configured with unique values for each of the attributes of data marker.  To set up the markers of data independently, you must specify a 'Active Channel' for the polarity of marker data and number of bits attributes.  So in your example, you would just need to add an entry "Active Channel" on your property node above the attributes of marker of both data and wiring in the "datamarker0" to set up the first brand of data and the "datamarker1" for the second.  "NiFgen waveform Arb marker" shows how to do this.  Do not wire the active channel range cause really all markers 4 data to configure when the value of each attribute of data marker.

  Hope that helps.

• The Router Configuration page

  Whenever I open my router configuration page, I am never prompted to enter a user name or password. Of course, it is a security problem for me. I even reset my router to its factory default settings. Yet, it is not yet solve the problem. I also want to be able to change the user name and password to make it more secure. It is indeed a cause for concern? If so, anyone have any suggestions to solve this problem?  Thank you

  Hello

  Configuration page of your router is nothing to do with the Windows operating system.

  You will need to contact the router manufacturer for instructions on how to change the default settings.

  See you soon.

• Wired router with POE and Gigabit ethernet to run two AC1750 access points?

  Hello, I'm looking for a recommendation for a wired router with POE and Gigabit ethernet to connect to both access to ceiling LinkSys AC1750 points internet routing on the WAN to a Virgin Media UK cable connection plug - can someone advise a good solution?

  I'm a Home Office / Small Office so user there are several Wired's devices and a mixture of wireless clients. I need at least 8 ethernet outlets. Reliablity and speed performance are important, but not important enough to go overboard on the cost!

  Many thanks to you all.

  I recommend a router Linksys (SMB) LRT214\224 and a switch POE LGS Linksys (SMB). This combination will be very fast and stable.

• E1200 Cisco/Linksys router no warranty and I bought a month ago

  Can someone give me an email address so I can explain my situation? Or a contact name? Bought last week 19/12/13 and called router using the connection, they said it was an old model (I guess that based on S/N) and had no guarantee. I can't control the rotation of the store stocks, one and it bought in good faith, expecting that a guarantee only begins when you buy it. I paid to have it installed and will have to pay again to uninstall/reinstall to return to store and to fight with them. Who pays for this?

  Yes, we told the whole story, and offered at the reception by e-mail. The lady was adamant that there was no guarantee because it was an 'old' unit that had been in the warehouse of deposits House too long. Thanks for the email address, ill get my message just out of them.

• Configuration of the L3 Switch to send the traffic to Palo Alto

  

  Please forgive my ignorance when it comes to Palo Alto. This is the first time that I do business with them. We need to ensure one VLAN located behind the Palo Alto. I am including a diagram to show a simulation of what we seek to do. We have by default VLAN1 which is our default data VLAN. We have 19 VLAN is VLAN we want it secure. The VLAN1 SVI IP is 10.1.1.1 and VLAN19 SVI IP is 10.1.2.1. On the Palo Alto, we have an IP interface was like 10.1.1.2 for default data VLAN and 10.1.2.2 for the VLAN secure. There are also a pair of HA with IPS 10.1.1.3 and 10.1.2.3 respectively. We have EIGRP that announces the network default VLAN1. Here's what we want to do. Anything from the 10.1.1.x network, go to the 10.1.2.x network, must pass through the Palo Alto. Whatever either from the 10.1.2.x network, must go through the Palo Alto as well. Nothing to any other network 10.1.1.x, takes the route by default (and), and anything from 10.1.2.x to anything else on 10.1.2.x should stay local to the LAN (not pass through Palo Alto. Need just for the MAC address arp). My question is, how do I tell my L3 switch to send all traffic created in the 10.1.2.x, through the Palestinian Authority? I can't do an IP route because from the local network VIRTUAL lives on these L3 switches and is a directly connected route. Really, I can't do the ACB on the switch, because that is really meant to routers. I can put a long match, for everything on the 10.1.2.x network (i.e. the route ip 10.1.2.7 255.255.255.255 10.1.1.2), but for some reason when do whatsoever of 10.1.2.x another thing goes on 10.1.2.x through the palo alto so. Anyone have any suggestions on what would be the best practice, from a network perspective, on how to do this? Thanks for any help!

  Looks like you want all traffic to and from the secure virtual local network to pass through the firewall of your description?

  I'm not familiar with Palo Alto firewall is so I don't know how they work in HA, IE. with other devices do you want to simply talk to a VIP which is responsible for two firewalls?

  In your example the two firewalls have an IP address per vlan, but always just use you one IP addresses for the end-end connectivity. I'll assume that you do, you may need to change, but when I say that I mean the one that reminds you of the devices for routing etc..

  So for all the traffic to and from the network 10.1.2.0/24 to go through the firewall, you must-

  (1) remove the battery switch the IVR for vlan 19. You need the firewall to be routing vlan not secure the 3750 s. You leave vlan 19 in the database for vlan.

  (2) point them vlan 19 customers as default gateway

  (3) addition of a route on the stack of 3750 for the network 10.1.2.0/24-

  IP route 10.1.2.0 255.255.255.0

  (4) if the 10.1.2.0/24 network needs to talk to other that 10.1.1.0/24 remote subnets, then for each of these networks the firewall should be a route. The syntax will not be IOS, but this should give you an idea-

  IP 10.1.1.1 road

  etc... for each remote network

  That means foregoing is all the traffic going and coming from 10.1.2.x customers to other subnets must go through the firewall. The customer traffic in the vlan secured to other clients in the vlan safe doesn't have to go the firewalls.

  Jon