- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-23-2012 07:09 AM
Hi, Everyone,
I have a question that I was hoping I could recieve some help with; I am doing an initial configuration of my firewall (I am new to Pan-OS, and I can't seem to ping my upstream router). I have an 802.1q trunk link coming into my device with a single VLAN on it (VLAN 3357). When I do a packet capture, I see the hearbeat traffic for the upstream HSRP interface, so I know that at least *some* traffic is traversing the link properly. I am getting these weird "SNAP Unnumbered, ui, Flags [Command], length 50" logs in a packet capture entry; does anybody know what this means? Is there any way to do a reverse arp for this mac: 58:8d:09:69:a8:09 to find out what it actually is? Thank-you so much for your help with this. I hope you have a wonderful day.
admin@PA-5050> view-pcap filter-pcap DRP.pcap
reading from file /opt/panlogs/session/pan/filters/DRP.pcap, link-type EN10MB (Ethernet)
06:53:51.635061 IP 128.135.245.35.hsrp > 224.0.0.2.hsrp: HSRPv0-hello 20: state=standby group=1 addr=128.135.245.33
06:53:51.636959 IP 128.135.245.34.hsrp > 224.0.0.2.hsrp: HSRPv0-hello 20: state=active group=1 addr=128.135.245.33
06:53:51.750619 01:00:0c:cc:cc:cd (oui Unknown) > 58:8d:09:69:a8:09 (oui Unknown) SNAP Unnumbered, ui, Flags [Command], length 50
0x0000: 0100 0ccc cccd 588d 0969 a809 8100 cd1d ......X..i......
0x0010: 0032 aaaa 0300 000c 010b 0000 0202 3c6d .2............<m
0x0020: 1d00 2304 eebe 0200 0000 006d 1df8 66f2 ..#........m..f.
0x0030: 0e26 c181 8e00 .&....
06:53:52.532858 58:8d:09:69:a8:09 (oui Unknown) > 01:00:0c:cc:cc:cc (oui Unknown) SNAP Unnumbered, ui, Flags [Command], length 120
06:53:52.636198 IP 128.135.245.34.hsrp > 224.0.0.2.hsrp: HSRPv0-hello 20: state=active group=1 addr=128.135.245.33
06:53:52.636904 IP 128.135.245.35.hsrp > 224.0.0.2.hsrp: HSRPv0-hello 20: state=standby group=1 addr=128.135.245.33
06:53:53.638757 IP 128.135.245.34.hsrp > 224.0.0.2.hsrp: HSRPv0-hello 20: state=active group=1 addr=128.135.245.33
06:53:53.639619 IP 128.135.245.35.hsrp > 224.0.0.2.hsrp: HSRPv0-hello 20: state=standby group=1 addr=128.135.245.33
06:53:53.750627 01:00:0c:cc:cc:cd (oui Unknown) > 58:8d:09:69:a8:09 (oui Unknown) SNAP Unnumbered, ui, Flags [Command], length 50
0x0000: 0100 0ccc cccd 588d 0969 a809 8100 cd1d ......X..i......
0x0010: 0032 aaaa 0300 000c 010b 0000 0202 3c6d .2............<m
0x0020: 1d00 2304 eebe 0200 0000 006d 1df8 66f2 ..#........m..f.
0x0030: 0e26 c181 8e00 .&....
07:09:23.116923 IP 128.135.245.36 > 128.135.245.33: ICMP echo request, id 39775, seq 1, length 64
07:09:23.117794 IP 128.135.245.36 > 128.135.245.33: ICMP echo request, id 39775, seq 2, length 64
07:09:24.131794 IP 128.135.245.36 > 128.135.245.33: ICMP echo request, id 39775, seq 3, length 64
07:09:25.132304 IP 128.135.245.36 > 128.135.245.33: ICMP echo request, id 39775, seq 4, length 64
07:09:26.136048 IP 128.135.245.36 > 128.135.245.33: ICMP echo request, id 39775, seq 5, length 64
04-23-2012 10:01 PM
This is how I interpret this:
The "Dot1q VLAN Name" is just a description (or object name - which name to display in the GUI).
According to the PA-4.1_Administrators_Guide.pdf the description of this setting is:
"
Name
Enter a VLAN name (up to 31 characters). This name appears in the list of VLANs when configuring interfaces. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
"
The "VLAN Interface Name" is (unfortunately) also just a description (or rather, you can use any number here but I would suggest you to use the VLAN-ID):
"
Interface Name
Specify a numeric suffix for the interface (1-4999).
"
However the above is when you use Layer2 interface, similar to switchport in cisco equipment.
For routed interface ("no switchport" and set ip directly on the interface if we compare to Cisco) you use Layer3 interface (the first will always be untagged) where subinterfaces will be tagged:
"
Tag
Enter the tag number (1 to 4094) of the traffic received on this interface.
Outgoing traffic on this interface is also set to this tag value.
"
So to sum it up:
switchport-method:
1) Create VLAN ("Dot1q VLAN Name").
2) Create VLAN interface ("Interface Name" I would recommend you to use the same as the tag you will use later).
3) Create Layer2 interface and attach above VLAN interface for untagged traffic.
4) Create additional Layer2 subinterfaces for tagged traffic and attach additional VLAN interfaces (this is where you also type which tag to use for 802.1Q).
no switchport-method (routed interface):
1) Create Layer3 interface, will be used for untagged traffic.
2) Create additional Layer3 subinterfaces for tagged traffic (this is where you also type which tag to use for 802.1Q).
Questions for PAN which I hope someone can reply to:
Q1) How come "VLAN Interface Name" isnt limited to 1-4094?
Q2) How come "VLAN Interface Name" isnt used as the tag (for me it adds confusion that the VLAN Interface Name can be different from the actual tag being used)?
Q3): How to setup "switchport mode trunk" on a PA device (only allow tagged traffic and drop untagged along with traffic with the wrong tag(s))?
04-23-2012 02:43 PM
Here is how you setup a trunkinterface in a PA device:
Layer 2 Networking (Rev A)
https://live.paloaltonetworks.com/docs/DOC-2011
What you do is that first you create a set of VLANs which defines which physical interfaces this VLAN belongs to etc and if L3 forwarding should be allowed (or if this VLAN is a pure L2 forwarding one). This can be compared to the vlan database in older Cisco IOS.
Then you create VLAN interfaces (I recommend to use the vlanid as vlan interface name number) where you bind the VLAN interface to a virtual router (which routing table to use), the VLAN you created earlier (so the PAN knows that this VLAN interface vlan.101 belongs to the VLAN named DMZ or whatever) and a zone. This can be compared to int gi 0/x along with switchport mode trunk, trunk allowed vlan etc in Cisco IOS along with int vlan xxx to define the ip address for the "SVI".
Edit: Regarding your "SNAP" captures its the multicast MAC address for Cisco Shared Spanning Tree Protocol (SSTP) according to Google.
04-23-2012 06:36 PM
Hi, Mike,
Thank-you for your reply. Could I ask a follow up question to this? The document that you supplied states:
"A default VLAN interface exists, called ‘vlan’. Any new VLAN interfaces created will be named vlan.X, where X is an integer greater than zero."
Is this the actual 802.1Q frame header that appears in the ethernet frame itself? So, if I am configurating VLAN 3357, I would enter 3357 here correct? I guess I am a bit confused because on page 2, there is a spot to define "Dot1q vlan name", however the numerical VLAN ID is not defined here. I believe that VLAN IDs usually have an upper bound (4096), so I am wondering why this document says to specify something "greater than 0". Thank-you so much for your help.
Dan Sullivan
04-23-2012 10:01 PM
This is how I interpret this:
The "Dot1q VLAN Name" is just a description (or object name - which name to display in the GUI).
According to the PA-4.1_Administrators_Guide.pdf the description of this setting is:
"
Name
Enter a VLAN name (up to 31 characters). This name appears in the list of VLANs when configuring interfaces. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
"
The "VLAN Interface Name" is (unfortunately) also just a description (or rather, you can use any number here but I would suggest you to use the VLAN-ID):
"
Interface Name
Specify a numeric suffix for the interface (1-4999).
"
However the above is when you use Layer2 interface, similar to switchport in cisco equipment.
For routed interface ("no switchport" and set ip directly on the interface if we compare to Cisco) you use Layer3 interface (the first will always be untagged) where subinterfaces will be tagged:
"
Tag
Enter the tag number (1 to 4094) of the traffic received on this interface.
Outgoing traffic on this interface is also set to this tag value.
"
So to sum it up:
switchport-method:
1) Create VLAN ("Dot1q VLAN Name").
2) Create VLAN interface ("Interface Name" I would recommend you to use the same as the tag you will use later).
3) Create Layer2 interface and attach above VLAN interface for untagged traffic.
4) Create additional Layer2 subinterfaces for tagged traffic and attach additional VLAN interfaces (this is where you also type which tag to use for 802.1Q).
no switchport-method (routed interface):
1) Create Layer3 interface, will be used for untagged traffic.
2) Create additional Layer3 subinterfaces for tagged traffic (this is where you also type which tag to use for 802.1Q).
Questions for PAN which I hope someone can reply to:
Q1) How come "VLAN Interface Name" isnt limited to 1-4094?
Q2) How come "VLAN Interface Name" isnt used as the tag (for me it adds confusion that the VLAN Interface Name can be different from the actual tag being used)?
Q3): How to setup "switchport mode trunk" on a PA device (only allow tagged traffic and drop untagged along with traffic with the wrong tag(s))?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!