topic Re: Tagged subinterface in different zone than parent not working in General Topics

Tagged subinterface in different zone than parent not working

razor192 — Wed, 11 Oct 2017 19:59:24 GMT

So up to this point I'd only been using tagged sub interfaces for capacity\housekeeping\etc, so they were all in the same security zone. Now I have a case where I'd like to be able to add some rules to where traffic from this new VLAN can go..

I put the new sub interface in a new zone, add the new zone to the general internet access rules and outbound NAT rule.. no love.. So I look in at the traffic monitor, I see the traffic but it has a source zone of the parent interface, not the zone it is configured with.. am I missing somthing obvious here?

Re: Tagged subinterface in different zone than parent not working

Raido_Rattameister — Wed, 11 Oct 2017 20:16:30 GMT

Monitor > Traffic

Add Ingress I/F column. Are those packets coming in from ethernet1/2.66 interface?

Re: Tagged subinterface in different zone than parent not working

razor192 — Wed, 11 Oct 2017 21:22:46 GMT

Hmmm.. No it says the are coming from the parent interface ethernet1/2.

Re: Tagged subinterface in different zone than parent not working

Raido_Rattameister — Wed, 11 Oct 2017 22:09:32 GMT

In this case your vlans are messed up. Maybe wifi access point is in incorrect vlan.

Re: Tagged subinterface in different zone than parent not working

reaper — Thu, 12 Oct 2017 12:25:41 GMT

if your traffic log is showing the sessions in the wrong zone you're probably receiving them untagged. your original source may be connected to an untagged switch port or your trunk/switch doesn;t support/isnt configured for the vlan tag you configured on the subinterface

Re: Tagged subinterface in different zone than parent not working

nawaza — Thu, 12 Oct 2017 14:09:45 GMT

I agree with reaper. the tell-tale signs are there to support that particular view ...

Can you share the switch/router port/interface config here with us ...

And also can I please ask you to confirm that you have set 'Tag' on the Palo side?

Ajaz Nawaz | Network & Security Consultant

JNCIE-SEC #254 | CCIE-RS #15721

Re: Tagged subinterface in different zone than parent not working

razor192 — Thu, 19 Oct 2017 19:47:14 GMT

I think I figgured out why this is happeing.. I have a Layer 3 core switch that sits in front of the PA and does inter VLAN routing. The only route it has to the interwebs is it's default gateway which is the 192.168.10.2 address of the parent interface on the PA. This setup works and VLAN traffic makes it's way to the interwebs. If I remove the Tagged subinterface for a VALN from the config, traffic for that VALN stops at the 192.168.10.2 interface. To be 100% honest I'm not clear on WHY this actually works, tagged VLAN traffic is being forwarded to an untagged interface, perhaps it has to be with the way PA is doing the subinterface? Anyhow, I think for this to work the way I want it to, traffic from each VLAN needs to be forwarded to the subinterface. The only way I can come up with to do this, and leave the core layer 3 switch doing inter VLAN routing, is to move to Policy Based Routing.

Re: Tagged subinterface in different zone than parent not working

razor192 — Thu, 19 Oct 2017 20:15:14 GMT

this is the pertanant config from the core switch. and the sub interface on the PA

ip route 0.0.0.0 0.0.0.0 192.168.10.2
ip routing
interface 1
name "To PA Eth 2"
exit

vlan 66
name "UnSecuteWiFi-66"
tagged 1,A1
ip address 10.10.66.1 255.255.255.0
ip helper-address 192.168.10.216
exit

Re: Tagged subinterface in different zone than parent not working

OtakarKlier — Thu, 19 Oct 2017 21:24:45 GMT

Hello @razor192,

Your text and screen shot Zones do not match up. If you haveyour source zone set as UnSecuteWiFi-66, you should be ableto create policies around that.

Hope that helps.

Re: Tagged subinterface in different zone than parent not working

razor192 — Thu, 19 Oct 2017 21:37:23 GMT

the 1st screen cap is a nonworking config.. the second screen cap is a working config

Re: Tagged subinterface in different zone than parent not working

OtakarKlier — Thu, 19 Oct 2017 21:39:17 GMT

One other thing we do to cut down on the nmber of Zones, is to use Zones and Source IP's. That way you can write a rule with source zone and ip range.

Just another thought.