topic Re: A little help with Subinterfaces and intraVLAN routing in General Topics

A little help with Subinterfaces and intraVLAN routing

Raland — Wed, 22 Mar 2017 14:40:43 GMT

I have a PA-3020 with fairly typcial config with a L3 untrusted interface and several trusted sub interfaces. I have a couple questions.

Prior to this, I was doing my intravlan routing on my core HP2920 switch. My 192.168.123.0/24 network is the native vlan 1 which I understand to be always untagged. The .123 is my "original" network before I outgrew it and had to vlan. All the subinterface training examples show multiple sub's but don't say anything about including untagged traffic. You can see in my pic that I put an IP address on the actual 1/2 interface as my solution to this.

The network is working but I'm getting random network connection errors, specifically for traffic between vlan 1/.123 traffic and vlan100/.100. I have a couple servers in the .123 and all the client pcs have migrated to vlan100. All my switches are in the 123 subnet and their gateways are the 192.168.123.1 interface 1/2 if that matters Do I need to move all my .123 gear into a vlan and add a subinterface with the 192.168.123.1 IP?

Does the security policy take care of all the intra-vlan routing? I'm used to having static routes in the "router" to the gateways of the vlans. I mainly ask this due to the above mentioned random network connection issues. I wasn't sure if I needed to add any routing due to the untagged nature of the .123 traffic coming into the interface?

I'm going to check the logs and do some testing to see if I can figure out the newtork issues. I've love some feedback on whether my network interface setup is solid before I spend a lot of time looking for zebras instead of horses. Thanks,

-Ralph

Re: A little help with Subinterfaces and intraVLAN routing

santonic — Thu, 23 Mar 2017 07:46:09 GMT

You did the correct thing: untagged (or vlan 1) is configured on physical interface, VLANs are on subinterfaces.

You don't need to do any routing, for these VLANs as all are connected networks.

Security profiles (IPS, AV..) are only enforced when traffic passes between security zones. So I would suggest replacing single zone 'L3 Trusted' with multiple zones like 'L3 Trusted LAN', 'L3 Trusted Servers', 'L3 Trusted MGMT'... as per your network segments.

Re: A little help with Subinterfaces and intraVLAN routing

Raland — Fri, 24 Mar 2017 12:44:29 GMT

Thanks, I do have security zones ready for each of the vlans but when I ran into the question on what to do about my untagged traffic I just left then all in trusted until I understood it better.

Re: A little help with Subinterfaces and intraVLAN routing

santonic — Fri, 24 Mar 2017 12:50:16 GMT

When you will start implementing security zones keep in mind you also have to implement FW rules as traffic between different zones is dropped by default.

Re: A little help with Subinterfaces and intraVLAN routing

Raland — Fri, 24 Mar 2017 16:39:42 GMT

Ok, will make sure the create security policies as I go. Final question on the routing. I just noticed that RIP is on for two of the interfaces in my router. I don't recall ever turning that on, and it's only for one of my sub interfaces and my untrusted internet interface.