Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

HOWTO Wanted : Trunked L3 intrerface with tagged VLAN's

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HOWTO Wanted : Trunked L3 intrerface with tagged VLAN's

L4 Transporter

Hi folks.

 

I need to configure a L3 iterface with a trunked conenction to my core switching infrastructure - twos eperate VLAN's on the one physical interface which MUST be seprate VLAN's, security zones and IP ranges.

 

I can't figure out if I'm mking this work right - I add sub interfaces tot he physical interface configuration, and they are tagged - but the main interface isn't.

 

Do I need to create VLAN's to match the sub-interface definitions? VLAN INterfaces? Or does the act of creating the sub interface get it working?

 

I'm quite confused over this one.

 

Thanks.

1 accepted solution

Accepted Solutions

L4 Transporter

See this comment for the difference between VLAN interfaces (which are actually bridged interfaces for creating a virtual switch) and layer 3 interfaces with 802.1q vlan tags (which is probably what you are looking for):

https://live.paloaltonetworks.com/t5/General-Topics/Correct-IP-setting-when-two-firewalls-connected-...

 

When you say "trunk" do you mean a vlan trunk (meaning only tagged vlans on the physical interface, no untagged vlans), or an LACP trunk (where you bond together multiple physical interfaces into a single aggregate interface to increase throughput or provide fail-over)?

 

I really hate it when the same terms are used for different things based solely on context.  🙂

 

I'm guessing you want to create a single Layer 3 interface (you don't have to actually configure anything on it), then create multiple sub-interfaces underneath the physical interface, with each sub-interface having a vlan tag associated with it.  Thus creating a vlan trunk.  We do this on all our firewalls.  Each sub-interface can be configured with it's own Zone, Virtual Router, Zone Protection, Management Profile, etc (they're treated as separate interfaces).

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Hello,

In the past I have always made the physical interfaces layer2. Make sure the sub interfaces are tagged for the specific vlan. I then create a layer3 vlan interfaces for routing of the traffic.

 

You can do the same with layer3 physical interfaces, just make sure you Tag them to what the vlan is.

Interface Name
Layer3 Subinterface
The read-only Interface Name field displays the name of the physical interface you selected. In the adjacent field, enter a numeric suffix (1-9,999) to identify the subinterface.
Comment
Enter an optional description for the subinterface.
Tag
Enter the VLAN tag (1-4,094) for the subinterface.

L4 Transporter

See this comment for the difference between VLAN interfaces (which are actually bridged interfaces for creating a virtual switch) and layer 3 interfaces with 802.1q vlan tags (which is probably what you are looking for):

https://live.paloaltonetworks.com/t5/General-Topics/Correct-IP-setting-when-two-firewalls-connected-...

 

When you say "trunk" do you mean a vlan trunk (meaning only tagged vlans on the physical interface, no untagged vlans), or an LACP trunk (where you bond together multiple physical interfaces into a single aggregate interface to increase throughput or provide fail-over)?

 

I really hate it when the same terms are used for different things based solely on context.  🙂

 

I'm guessing you want to create a single Layer 3 interface (you don't have to actually configure anything on it), then create multiple sub-interfaces underneath the physical interface, with each sub-interface having a vlan tag associated with it.  Thus creating a vlan trunk.  We do this on all our firewalls.  Each sub-interface can be configured with it's own Zone, Virtual Router, Zone Protection, Management Profile, etc (they're treated as separate interfaces).


@fjwcash wrote:

See this comment for the difference between VLAN interfaces (which are actually bridged interfaces for creating a virtual switch) and layer 3 interfaces with 802.1q vlan tags (which is probably what you are looking for):

https://live.paloaltonetworks.com/t5/General-Topics/Correct-IP-setting-when-two-firewalls-connected-...

 

When you say "trunk" do you mean a vlan trunk (meaning only tagged vlans on the physical interface, no untagged vlans), or an LACP trunk (where you bond together multiple physical interfaces into a single aggregate interface to increase throughput or provide fail-over)?

 

I really hate it when the same terms are used for different things based solely on context.  🙂

 

I'm guessing you want to create a single Layer 3 interface (you don't have to actually configure anything on it), then create multiple sub-interfaces underneath the physical interface, with each sub-interface having a vlan tag associated with it.  Thus creating a vlan trunk.  We do this on all our firewalls.  Each sub-interface can be configured with it's own Zone, Virtual Router, Zone Protection, Management Profile, etc (they're treated as separate interfaces).


 

OK, the comment you quoted makes it a bit clearer - a "vlan" interface is simply used to make ports into local switch ports.

 

Yes, I mean VLAN trunk - a port which allows ONLY tagged traffic in one (or more) VLAN's in and out - connected to a "trunk" port on a switch (trunk mode switch port in Cisco/Juniper land).

 

And yes, I hate it when the same word means two completely different things depending on which vendor you're talking to as well! 🙂

 

Based on your last paragraph, what I have should work, as that's exactly what I've done - my only concern is that the "physical" interface is listed as "untagged" - does that mean it passes native VLAN traffic with a default (1) tag, or passes nothing at all?

 

Thanks - I think you've cleared this up enough that I can make things work.

L7 Applicator

Here's a screenshot from my firewall.  Instead of using "layer-2" with "vlan interfaces" - I usually use straight layer-3 subinterfaces.  This picture should explain it all.  No need for a vlan interface with this type of configuration:

 

l3subint.png

 

You're correct that traffic may hit the parent "ethernet1/9" interface - but that will only happen if the VLAN trunk from your switch includes an untagged (aka "native") vlan as well.  Even that shouldn't be a problem since this particular interface on the firewall: 1.) isn't part of a VR, 2.) doesn't have an IP address, and 3.) isn't a member of any security zone.  

  • 1 accepted solution
  • 8672 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!