Layer 3 Interface Trunk Configuration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Layer 3 Interface Trunk Configuration

Not applicable

Hi,

I am a new Palo Alto firewall user, however I have been working with firewalls for some time.  I have a couple of quick questions;

1) Does the Palo Alto PAN-OS firewall have equivalent of the "shut"  or "no shut" command to turn an interface on or off?

2) I have an 802.1q trunk link coming into my firewall; this trunk link has multiple VLANs tagged on it; would it be possible for somebody to provide a very basic sample (plain text) configuration of what the the interface (physical, layer 3, subinterface, VLAN) of my device should look like if I want the layer 3 interfaces for these VLANs to live on the firewall itself?

Basically I am having trouble getting the link light to light up on the firewall, and I am unsure what is required to have the interface attempt to enter an 'up' state.

I am historically used to managing devices from the command-line, however I am struggling a bit because although I have reviewed the CLI administration guide, the guide does not provide configuration examples.  Are there configuration examples available for PAN-OS?


Dan Sullivan

1 accepted solution

Accepted Solutions

L6 Presenter

1) I think following will do what you ask for:

set network interface ethernet link-state down

2) You can check the devcenter for additional technotes except for those available in the documentation section:

https://live.paloaltonetworks.com/community/devcenter?view=documents

https://live.paloaltonetworks.com/community/documentation

I guess this document might get you the basics regarding L2 and L3 in PAN devices:

Layer 2 Networking (Rev A)
https://live.paloaltonetworks.com/docs/DOC-2011

What you do is that first you create a set of VLANs which defines which physical interfaces this VLAN belongs to etc and if L3 forwarding should be allowed (or if this VLAN is a pure L2 forwarding one). This can be compared to the vlan database in older Cisco IOS.

Then you create VLAN interfaces (I recommend to use the vlanid as vlan interface name number) where you bind the VLAN interface to a virtual router (which routing table to use), the VLAN you created earlier (so the PAN knows that this VLAN interface vlan.101 belongs to the VLAN named DMZ or whatever) and a zone. This can be compared to int gi 0/x along with switchport mode trunk, trunk allowed vlan etc in Cisco IOS along with int vlan xxx to define the ip address for the "SVI".

View solution in original post

2 REPLIES 2

L6 Presenter

1) I think following will do what you ask for:

set network interface ethernet link-state down

2) You can check the devcenter for additional technotes except for those available in the documentation section:

https://live.paloaltonetworks.com/community/devcenter?view=documents

https://live.paloaltonetworks.com/community/documentation

I guess this document might get you the basics regarding L2 and L3 in PAN devices:

Layer 2 Networking (Rev A)
https://live.paloaltonetworks.com/docs/DOC-2011

What you do is that first you create a set of VLANs which defines which physical interfaces this VLAN belongs to etc and if L3 forwarding should be allowed (or if this VLAN is a pure L2 forwarding one). This can be compared to the vlan database in older Cisco IOS.

Then you create VLAN interfaces (I recommend to use the vlanid as vlan interface name number) where you bind the VLAN interface to a virtual router (which routing table to use), the VLAN you created earlier (so the PAN knows that this VLAN interface vlan.101 belongs to the VLAN named DMZ or whatever) and a zone. This can be compared to int gi 0/x along with switchport mode trunk, trunk allowed vlan etc in Cisco IOS along with int vlan xxx to define the ip address for the "SVI".

What I've done at our location is set up some layer 3 subinterfaces on the ethernet port where the VLAN trunk connects to and I assign each subinterface to the appropriate VLAN.  For example, I would create subinterface ethernet1/1.100 for traffic in VLAN 100.

In our installation  the main interface itself doesn't have an IP address assignment.

Under the virtual router you would then add the subinterfaces to the router and then set up your routing appropriately depending on the type of routing you are going to do.  In our environment, I'm running OSPF routing so I had to set the subinterfaces up in the OSPF routing table.

Hope this helps.

  • 1 accepted solution
  • 8177 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!