article Nominated Discussion: VLAN Confusion in General Articles

article Nominated Discussion: VLAN Confusion in General Articles https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-vlan-confusion/ta-p/537588 <P>This Nominated Discussion Article is based on the post "<A href="https://live.paloaltonetworks.com/t5/general-topics/vlan-confusion/m-p/537313" target="_blank" rel="noopener">VLAN Confusion</A>" by <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/280597">@bgre033</a> and responded to by <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/282057">@seb_rupik</a>  and <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603">@Raido_Rattameister</a> . Read on to see the discussion and solution!</P> <P> </P> <DIV class="lia-message-template-content-zone"> <BLOCKQUOTE> <P>I’ve recently got a PA-440, and trying to make sense of the VLAN logic on PAN-OS has got me stumped.<BR /><BR />First of all, I get creating a layer 3 sub interface and assigning a VLAN tag, easy. A bit odd that the 'tag' doesn't then show up as a VLAN under Network > VLANs, but I can let that slide.</P> <P> </P> <P>It's an access port where things really don't make sense. I follow the steps below, and even though it works it just doesn't make sense.</P> <P> </P> <OL> <LI>Mark an interface as layer 2, and assign a layer 2 zone to it, ok.</LI> <LI>Create a VLAN (Network > VLANs) - sure, but you don’t specify a VLAN ID, just a name. What is the point of this construct?</LI> <LI>Assign created VLAN (from step 2) to the physical layer 2 interface - again, ok, but given the VLAN hasn’t got an ID, does this achieve anything?</LI> <LI>Create a VLAN Interface (with an ID between 1-9999) and assign a VLAN to it. I assume this is like an SVI, but I don’t need a layer 3 VLAN interface, why is this necessary? Also, it seems like the ID is meant to be the VLAN tag (but the range is not right, 1-9999 rather than 1-4094)?</LI> </OL> <P>I'm hoping someone can explain this to be, as the documentation isn't clear.</P> <OL> <LI>What is the point of VLANs under Network > VLANs? Given you don't specify a VLAN ID.</LI> <LI>Is the ID under the VLAN interface actually a VLAN tag, rather than an interface ID? If so, why is the range 1-9999 (rather than 1-4094)?</LI> </OL> <P> </P> </BLOCKQUOTE> <P> </P> <P>Palo Alto has taken the approach of decoupling the VLAN ID from the VLAN virtual-bridge construct. When you create a VLAN object under <STRONG>Network -> VLAN</STRONG>, the name is the UID not a VLAN ID as would be the case on a cisco. The object you create here is a virtual-bridge which is used to bind the various Layer 2 interfaces defined <STRONG>Network -> Interfaces -> Ethernet</STRONG> and a single SVI under <STRONG>Network -> Interfaces -> VLAN</STRONG>.</P> <P> </P> <P>The ID number which is required by a sub-interface or VLAN/SVI interface is arbitrary. The <EM><STRONG>tag number</STRONG></EM><STRONG>,</STRONG> which is selected under the sub-interface, <EM><STRONG>is the VLAN ID</STRONG></EM> and is used for the 802.1Q encapsulation. The sub-interface ID and tag number do not have to match, but it can help with readability!</P> <P> </P> <P>It is worth noting that this decoupling of VLAN ID from the VLAN object means that sub-interfaces, which uses different 802.1Q tags, can use the same VLAN virtual-bridge effectively performing VLAN tag rewriting.</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="foo.png" style="width: 858px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49218iB38C456A0030DC15/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="foo.png" alt="foo.png" /></span></P> <P> </P> <P> </P> <BLOCKQUOTE> <P>This would suggest that an access port cannot exist (for example) in VLAN 20 unless a sub-interface has been created with tag '20' and both of these objects have been associated with a VLAN object (Network > VLAN)? Suppose this doesn't really matter, as an access port VLAN ID isn't relevant unless a trunk port exists somewhere on the said device (which it won't unless sub-interfaces have been created).</P> <P> </P> <P>Finally, I take it a VLAN sub-interface (Network > Interfaces > VLAN) isn't needed unless inter-VLAN routing is required?</P> </BLOCKQUOTE> <P> </P> <P>It is always easier to set interfaces in Layer3.  The main interface will be untagged and sub-interfaces will tag packets.</P> <P> </P> <UL> <LI>Layer2 makes sense only if you deploy firewalls in small office with few devices and you don't have a dedicated switch (all devices connect directly to Palo) and you need multiple interfaces to be in same subnet/vlan</LI> <LI>Other reason to use Layer2 is if you have existing setup. Let's say a web server and database servers were historically deployed in a single VLAN. You want to separate them and place a firewall in between</LI> </UL> <P><BR />What you can do is connect web server and database server directly to the PA Firewall. Set the firewall interfaces in Layer2 and create a policy in between to permit only specific traffic. As a result, no re-IP needed but security posture improved.</P> <P> </P> <P>Once you configure a Layer2 sub-interface you are creating a trunk link and 802.1q will be enabled, using the 'tag' value as the VLAN ID on the encapsulated frame. An access port doesn't really need a VLAN tag, as it is never imposed on the frame, they arrive and leave untagged.  The VLAN tag/ID is there purely to identify which virtual-bridge the frames belong to.</P> <P> </P> <P>The object created under <STRONG>Network -> Interfaces -> VLAN</STRONG> is <STRONG>not</STRONG> a sub-interface. I understand the confusion as it prepends a digit to the interface name. The interface here is a SVI/IRB . If you have configured your firewall interfaces all as Layer2, then yes you will need these for inter-VLAN routing. You can have a mix of routed Layer 3 interfaces (dedicated or sub-interface) and VLAN interfaces for inter-VLAN routing, depending on your topology.</P> <P> </P> <P>Once you get to PAN-OS 11.x you can configure PPPoE on sub-interface.</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Raido_Rattameister_0-1680567640642.png" style="width: 865px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49256iAFFE23EDC0E2C4C1/image-dimensions/865x572/is-moderation-mode/true?v=v2" width="865" height="572" role="button" title="Raido_Rattameister_0-1680567640642.png" alt="Raido_Rattameister_0-1680567640642.png" /></span></P> <P> </P> </DIV> Tue, 05 Nov 2024 01:32:01 GMT kiwi 2024-11-05T01:32:01Z Nominated Discussion: VLAN Confusion https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-vlan-confusion/ta-p/537588 <P>This Nominated Discussion Article is based on the post "<A href="https://live.paloaltonetworks.com/t5/general-topics/vlan-confusion/m-p/537313" target="_blank" rel="noopener">VLAN Confusion</A>".</P> Tue, 05 Nov 2024 01:32:01 GMT https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-vlan-confusion/ta-p/537588 kiwi 2024-11-05T01:32:01Z