topic Re: vLAN clarification & help in General Topics

vLAN clarification & help

cmateam — Tue, 25 Sep 2012 01:23:24 GMT

At my place of employment we've implemented a couple PAN-2020s in HA and have defined about 6 to 8 networks 1 attached to 1 physical port in a L3 configuration. We have cables running to a switch that each are untagged with different vLAN ID's (LAN = Default_VLAN, DMZ = DMZ_VLAN, etc). The vLAN'ing is done on the switch (HP ProCurve 2810-48G) and other ports are tagged and represented to VMware hosts.

PAN --> HP 2810-48G ==< VMware HOSTs

I have a few open ports, but am needing to create about 3 more networks to use and have quickly run out of physical ports.

For those of you who have done this, or any PAN techs helping out here, what is the best practice for implementing vLANS in this type of environment. I've seen some example of L2 configurations as well as L3 and I am a bit confused on what is best.

What is the best way to make a handful of physical ports aggregate on the firewall to present those vLANs to the switches, and then to the VMware hosts without doing that over just one cable? Do I need to configure the vLANs on the switch as well and tag those ports?

I realize these are a lot of questions - unfortunately the project was escalated a few months ago and I did not get sufficient time to design this out, so it's made it hard to design well, and I have some opportunity to implement changes before this environment goes 100% into production. So I don't have quite the liberty to test this out.

Am I on the right track with this document?

Thanks for all your help!

Re: vLAN clarification & help

UhMayYeah — Tue, 25 Sep 2012 03:06:49 GMT

For terminating multiple VLANs on the same physical interface, multiple tagged sub-interfaces should be created

refer :

https://live.paloaltonetworks.com/docs/DOC-1805

-Ameya

Re: vLAN clarification & help

cmateam — Tue, 25 Sep 2012 23:08:50 GMT

Can you aggregate these across interfaces?

Re: vLAN clarification & help

cmateam — Tue, 25 Sep 2012 23:12:15 GMT

Per this discussion: can you set one of the sub interfaces to have the route while all the others are just tagged?

For example:

eth1/8.8 10.55.1.1/24

eth1/9.8 - blank -?

Re: vLAN clarification & help

UhMayYeah — Tue, 25 Sep 2012 23:46:45 GMT

Yeah,this configuration was accepted by the firewall.

PFA

-Ameya

Re: vLAN clarification & help

cmateam — Wed, 10 Oct 2012 20:46:49 GMT

I had one additional question pertaining to this initial question.

So within my network, I have setup all the VLANs on L3 interfaces, with no networks defined (untagged) - everything works great. However, when I define a network on another L3 interface, without any VLANing all my networking goes crazy. The reason I am needing to do this is because some devices that have management interfaces (like our SAN, PAN FWs, and KVM) does not support vlan tagging on their interfaces. But since I can't specify a network on the default vlan L3 interface, I am now unable to manage these devices (without buying another switch. So my question was, can I create another virtual router and setup a L3 interface with the untagged vlan and network (a management network of sorts) present that to the default vlan on my switch, to manage such devices and then just route traffic between the to VRs? Does that make sense. Anyone else run into this before?