topic Re: HOWTO Wanted : Trunked L3 intrerface with tagged VLAN's in General Topics

HOWTO Wanted : Trunked L3 intrerface with tagged VLAN's

darren_g — Tue, 28 May 2019 04:10:14 GMT

Hi folks.

I need to configure a L3 iterface with a trunked conenction to my core switching infrastructure - twos eperate VLAN's on the one physical interface which MUST be seprate VLAN's, security zones and IP ranges.

I can't figure out if I'm mking this work right - I add sub interfaces tot he physical interface configuration, and they are tagged - but the main interface isn't.

Do I need to create VLAN's to match the sub-interface definitions? VLAN INterfaces? Or does the act of creating the sub interface get it working?

I'm quite confused over this one.

Thanks.

Re: HOWTO Wanted : Trunked L3 intrerface with tagged VLAN's

OtakarKlier — Tue, 28 May 2019 19:01:00 GMT

Hello,

In the past I have always made the physical interfaces layer2. Make sure the sub interfaces are tagged for the specific vlan. I then create a layer3 vlan interfaces for routing of the traffic.

You can do the same with layer3 physical interfaces, just make sure you Tag them to what the vlan is.

Interface Name	Layer3 Subinterface	The read-only Interface Name field displays the name of the physical interface you selected. In the adjacent field, enter a numeric suffix (1-9,999) to identify the subinterface.
Comment	Enter an optional description for the subinterface.
Tag	Enter the VLAN tag (1-4,094) for the subinterface.

Re: HOWTO Wanted : Trunked L3 intrerface with tagged VLAN's

fjwcash — Tue, 28 May 2019 20:42:29 GMT

See this comment for the difference between VLAN interfaces (which are actually bridged interfaces for creating a virtual switch) and layer 3 interfaces with 802.1q vlan tags (which is probably what you are looking for):

https://live.paloaltonetworks.com/t5/General-Topics/Correct-IP-setting-when-two-firewalls-connected-to-one-ISP/m-p/262311/highlight/true#M74341

When you say "trunk" do you mean a vlan trunk (meaning only tagged vlans on the physical interface, no untagged vlans), or an LACP trunk (where you bond together multiple physical interfaces into a single aggregate interface to increase throughput or provide fail-over)?

I really hate it when the same terms are used for different things based solely on context. 🙂

I'm guessing you want to create a single Layer 3 interface (you don't have to actually configure anything on it), then create multiple sub-interfaces underneath the physical interface, with each sub-interface having a vlan tag associated with it. Thus creating a vlan trunk. We do this on all our firewalls. Each sub-interface can be configured with it's own Zone, Virtual Router, Zone Protection, Management Profile, etc (they're treated as separate interfaces).

Re: HOWTO Wanted : Trunked L3 intrerface with tagged VLAN's

darren_g — Wed, 29 May 2019 00:29:00 GMT

@fjwcash wrote:
See this comment for the difference between VLAN interfaces (which are actually bridged interfaces for creating a virtual switch) and layer 3 interfaces with 802.1q vlan tags (which is probably what you are looking for):
https://live.paloaltonetworks.com/t5/General-Topics/Correct-IP-setting-when-two-firewalls-connected-to-one-ISP/m-p/262311/highlight/true#M74341

When you say "trunk" do you mean a vlan trunk (meaning only tagged vlans on the physical interface, no untagged vlans), or an LACP trunk (where you bond together multiple physical interfaces into a single aggregate interface to increase throughput or provide fail-over)?

I really hate it when the same terms are used for different things based solely on context. 🙂

I'm guessing you want to create a single Layer 3 interface (you don't have to actually configure anything on it), then create multiple sub-interfaces underneath the physical interface, with each sub-interface having a vlan tag associated with it. Thus creating a vlan trunk. We do this on all our firewalls. Each sub-interface can be configured with it's own Zone, Virtual Router, Zone Protection, Management Profile, etc (they're treated as separate interfaces).

OK, the comment you quoted makes it a bit clearer - a "vlan" interface is simply used to make ports into local switch ports.

Yes, I mean VLAN trunk - a port which allows ONLY tagged traffic in one (or more) VLAN's in and out - connected to a "trunk" port on a switch (trunk mode switch port in Cisco/Juniper land).

And yes, I hate it when the same word means two completely different things depending on which vendor you're talking to as well! 🙂

Based on your last paragraph, what I have should work, as that's exactly what I've done - my only concern is that the "physical" interface is listed as "untagged" - does that mean it passes native VLAN traffic with a default (1) tag, or passes nothing at all?

Thanks - I think you've cleared this up enough that I can make things work.

Re: HOWTO Wanted : Trunked L3 intrerface with tagged VLAN's

jvalentine — Thu, 30 May 2019 22:43:10 GMT

Here's a screenshot from my firewall. Instead of using "layer-2" with "vlan interfaces" - I usually use straight layer-3 subinterfaces. This picture should explain it all. No need for a vlan interface with this type of configuration:

You're correct that traffic may hit the parent "ethernet1/9" interface - but that will only happen if the VLAN trunk from your switch includes an untagged (aka "native") vlan as well. Even that shouldn't be a problem since this particular interface on the firewall: 1.) isn't part of a VR, 2.) doesn't have an IP address, and 3.) isn't a member of any security zone.