Multiple Zones with one VLAN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Multiple Zones with one VLAN

L1 Bithead

I am trying to segregate my client computers and I don't have the ability to work with VLANs. All of our clients are in a single VLAN and I want to set them up in different subnets and zones. All of the clients connect to the Palo Alto through a single interface (also can't be changed).

 

I tried to do this with untagged sub-interfaces but I don't believe that was what they were intended for and so didn't work. I could ping the interface from a client in the same subnets but no traffic would go past that. I thought then I would try to use Loopback interfaces but you can't add an IP/Subnet to those, just a single IP with a /32, which makes sense (but I had to try).

 

The only way I can think to do this would be to setup the native interface (which currently doesn't have an IP) with an IP and mask that covers all of the client networks I am trying to create and then add a loopback interface with an IP in the subnet I want to access. The clients would then be in their individual subnets with their gateway set to the loopback interface IP in their subnet. This doesn't seem right to me though, but don't know why.

 

A few more details: I am not using User-ID yet as I don't have a good way to gather that info at the moment. I don't have complete control over the network (hence the inability to use VLANs) and I only have a few physical wires to work with (hence the single interface for all client traffic). I know that just using subnets and not VLANs does not really add any more security as a client could just change their IP to get into a different subnet but it would help us identify traffic easier and will block most of our users from access things they shouldn't.

 

Any suggestions? Thanks in advance.

1 accepted solution

Accepted Solutions

L7 Applicator

You are correct that you cannot use untagged frames for all the sub-interfaces.  The point of the sub-interface is to connect multiple separate vlans on a single physical port.  To do this we need to tag the frames with the vlan number and of course the switch (which you apparently don't control) would also need to have those vlans setup and tagged identically on your connected port.

 

In short, if you want subnet, vlan and zone separation of clients you need the switch setup to be appropriately changed along with the PA for this to work.

 

But perhaps you don't need this if user id setup will get you what you need.  If you can get the connection to AD or whatever the local auth is setup you can create your policies using security group membership and there is no need for physical network zone separation.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

1 REPLY 1

L7 Applicator

You are correct that you cannot use untagged frames for all the sub-interfaces.  The point of the sub-interface is to connect multiple separate vlans on a single physical port.  To do this we need to tag the frames with the vlan number and of course the switch (which you apparently don't control) would also need to have those vlans setup and tagged identically on your connected port.

 

In short, if you want subnet, vlan and zone separation of clients you need the switch setup to be appropriately changed along with the PA for this to work.

 

But perhaps you don't need this if user id setup will get you what you need.  If you can get the connection to AD or whatever the local auth is setup you can create your policies using security group membership and there is no need for physical network zone separation.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 1 accepted solution
  • 4230 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!