topic Re: Untagged L3 sub interfaces won't process traffic in General Topics

Untagged L3 sub interfaces won't process traffic

DenisHierholzer — Thu, 05 Apr 2018 05:39:46 GMT

Hi,

As described in following links we've configured multiple untagged sub interfaces all assigned to different vsys (different virtual routers and different zones) but with different IPs from the same network and the same VLAN:

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-L3-Untagged-Subinterfaces-to-Communicate-within/ta-p/55830

https://live.paloaltonetworks.com/t5/Learning-Articles/Untagged-Subinterfaces-L3/ta-p/55942

Example:
eth1, IP: none, tag: none, vsys: 1, zone: none, virtual router: none
--- eth1.1, IP: 192.168.0.10/24, tag: none, vsys: 2, zone: Zone-2, virtual router: VR-2
--- eth1.2, IP: 192.168.0.11/24, tag: none, vsys: 3, zone: Zone-3, virtual router: VR-3

The interface IPs 192.168.0.10 and 192.168.0.11 are pingable but traffic through the firewall won't be processed.

The same problem was described in following thread:
https://live.paloaltonetworks.com/t5/General-Topics/Multiple-Zones-with-one-VLAN/m-p/100851#M44302

Unfortunately I don't understand why this does not work. Would somebody please explain this?

Thanks,
Denis

Re: Untagged L3 sub interfaces won't process traffic

BPry — Thu, 05 Apr 2018 13:32:44 GMT

@DenisHierholzer,

This really isn't how this is supposed to function and you cannot use untagged frames for all the sub-interfaces. Subinterfaces really are meant to connect multiple VLANs onto a single physical port, similar to how you would setup a single trunk port but use it to pass multiple VLANs. The biggest issue that you have here is that if you have everything untagged the switch and the firewall doesn't really understand what it's supposed to do with the traffic.

Can you say what you're actually attempting to accomplish with your setup? There may be a better solution that we can recommend to get things working correctly.

Re: Untagged L3 sub interfaces won't process traffic

DenisHierholzer — Thu, 05 Apr 2018 13:40:34 GMT

Thanks for your answer.

From our production network (e.g. 10.0.0.0/24) we'd like to connect to different DMZs which are protected by different vsys.

Example:

vsys 1 - internal IP in production network: 10.0.0.10/24

vsys 2 - internal IP in production network: 10.0.0.11/24

We'd like to trunk those two connections via one cable from the production network to the Palo device. If we would use a seperate VLAN for both vsys in between the production network and the Palo device it would require a major reconfiguration of our network infrastructure.

Regards,

Denis

Re: Untagged L3 sub interfaces won't process traffic

santonic — Fri, 06 Apr 2018 11:32:59 GMT

VLAN tag is what detemines which packet goes to which logical interface on same physical interface. Without it FW can't know which packet to put where.

Re: Untagged L3 sub interfaces won't process traffic

DenisHierholzer — Mon, 09 Apr 2018 06:17:42 GMT

But the logical interfaces are also identified by a unique IP address. I don't understand why this is not enough to assign traffic to a specific logical interface.

Re: Untagged L3 sub interfaces won't process traffic

santonic — Mon, 09 Apr 2018 06:54:34 GMT

The packet doesn't even get picked by routing process (virtual router) as PA can't even assign which vsys will handle it.

What are you trying to achieve? Why exactly do you need different vsys for those DMZs? And if you already need different vsys why are you using same network for both? Accessing both DMZs in your current configuration will not be an easy task, you will need host routes on clients.

Re: Untagged L3 sub interfaces won't process traffic

DenisHierholzer — Mon, 09 Apr 2018 12:20:31 GMT

Ok - I've realized that I cannot use untagged sub interfaces in my specific scenario.

Untagged sub interfaces are only for a specific scenario described in the links in my original post - beside this specific scenario untagged sub interfaces won't work. I will use tagged sub interfaces and different VLANs to communicate with the different vsys.

Thanks for your help.