- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-28-2016 01:57 PM
I am trying to segregate my client computers and I don't have the ability to work with VLANs. All of our clients are in a single VLAN and I want to set them up in different subnets and zones. All of the clients connect to the Palo Alto through a single interface (also can't be changed).
I tried to do this with untagged sub-interfaces but I don't believe that was what they were intended for and so didn't work. I could ping the interface from a client in the same subnets but no traffic would go past that. I thought then I would try to use Loopback interfaces but you can't add an IP/Subnet to those, just a single IP with a /32, which makes sense (but I had to try).
The only way I can think to do this would be to setup the native interface (which currently doesn't have an IP) with an IP and mask that covers all of the client networks I am trying to create and then add a loopback interface with an IP in the subnet I want to access. The clients would then be in their individual subnets with their gateway set to the loopback interface IP in their subnet. This doesn't seem right to me though, but don't know why.
A few more details: I am not using User-ID yet as I don't have a good way to gather that info at the moment. I don't have complete control over the network (hence the inability to use VLANs) and I only have a few physical wires to work with (hence the single interface for all client traffic). I know that just using subnets and not VLANs does not really add any more security as a client could just change their IP to get into a different subnet but it would help us identify traffic easier and will block most of our users from access things they shouldn't.
Any suggestions? Thanks in advance.
07-28-2016 03:37 PM
You are correct that you cannot use untagged frames for all the sub-interfaces. The point of the sub-interface is to connect multiple separate vlans on a single physical port. To do this we need to tag the frames with the vlan number and of course the switch (which you apparently don't control) would also need to have those vlans setup and tagged identically on your connected port.
In short, if you want subnet, vlan and zone separation of clients you need the switch setup to be appropriately changed along with the PA for this to work.
But perhaps you don't need this if user id setup will get you what you need. If you can get the connection to AD or whatever the local auth is setup you can create your policies using security group membership and there is no need for physical network zone separation.
07-28-2016 03:37 PM
You are correct that you cannot use untagged frames for all the sub-interfaces. The point of the sub-interface is to connect multiple separate vlans on a single physical port. To do this we need to tag the frames with the vlan number and of course the switch (which you apparently don't control) would also need to have those vlans setup and tagged identically on your connected port.
In short, if you want subnet, vlan and zone separation of clients you need the switch setup to be appropriately changed along with the PA for this to work.
But perhaps you don't need this if user id setup will get you what you need. If you can get the connection to AD or whatever the local auth is setup you can create your policies using security group membership and there is no need for physical network zone separation.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!