Tagged subinterfaces configuration on L3 mode

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Tagged subinterfaces configuration on L3 mode

L2 Linker

hello;

 

we work on our organisation to do the migration of the configuration from another firewall to the palo lato networks PA-500 . With the recent architecture the segmentation of the networks is in the switch . But now , we like to do this segmentation in the PA-500 by creation of subinterfaces . we like to do like show the screenshot : a router of trafic from inside to outside that a second router from vlan 10 to inside than another router from vlan 20 to inside . The interface eth1/2 is related with a truk port configured on the switch with tagged vlan 10 and vlan 20.

 

The problem that the traffic not passe to the subinterfaces! Please correct me if there is any mistake that i make it in my configuration.

 

Thank you!subinterfaces-config.JPG

5 REPLIES 5

L6 Presenter

You're proably missing VLAN 1 on trunk between switch and PA.

Besides you're speaking of different (virtual) routers and you have only 1 for all interfaces (vr_vsys1). But that shouldn't be a problem, in fact that should make your life easier.

 

Hard to tell much more without seeing all configuration and rules.

 

 

L7 Applicator

Do you also have the security policies setup betwee zones vlan10 to inside; vlan20 to inside; and inside to outside.

 

You will also need a NAT policy for inside to outside.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L1 Bithead

What kind of switch do you use?

Is L2 connection brought up?

I notice you are using default management profile on all interfaces. Normaly I would use profile that allows ping only on such interfaces.

Can you ping PA interfaces from switch or laptop connected to one of the switch ports?

If answer is positive to all this, then you will need to have permissive security policy that allows traffic to flow between the zones.

 

 

Cyber Elite
Cyber Elite

Hello,

I ahve done this and it works really well for me. Not saying its the only way of doing it but for my proposes it works.

 

Make the interfaces and subinterfaces layer2

Create layer 3 vlans for the ones that are trunked

Create a zone for each vlan (make sure to add all the rules and nats that you need)

 

I use it because it allwos me to control traffic between the vlans, kind of like a collapsed DMZ.

 

Also if you have a DENY ALL rule at the bottom, it will not allow intrazone traffice so you would need a rule to allow it, i.e. trust<->trust allow.

Hope this helps!

collapsedDMZ.JPG

Hello;

 

Thank you very much for all the respenses. It's ok , the configuration now work in Layer 3 by adding a Nat rules in the Palo Alto Networks from a vlan to outside. 

 

I really appreciate all your helps 

 

Thank you!

  • 2973 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!