This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Tagged subinterfaces configuration on L3 mode

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Tagged subinterfaces configuration on L3 mode

RCHAIBI
L2 Linker

‎08-25-2015 01:32 AM

hello;

 

we work on our organisation to do the migration of the configuration from another firewall to the palo lato networks PA-500 . With the recent architecture the segmentation of the networks is in the switch . But now , we like to do this segmentation in the PA-500 by creation of subinterfaces . we like to do like show the screenshot : a router of trafic from inside to outside that a second router from vlan 10 to inside than another router from vlan 20 to inside . The interface eth1/2 is related with a truk port configured on the switch with tagged vlan 10 and vlan 20.

 

The problem that the traffic not passe to the subinterfaces! Please correct me if there is any mistake that i make it in my configuration.

 

Thank you!subinterfaces-config.JPG

1 person had this problem.
0 Likes Likes
5 REPLIES 5

santonic
L6 Presenter

‎08-25-2015 02:16 AM

You're proably missing VLAN 1 on trunk between switch and PA.

Besides you're speaking of different (virtual) routers and you have only 1 for all interfaces (vr_vsys1). But that shouldn't be a problem, in fact that should make your life easier.

 

Hard to tell much more without seeing all configuration and rules.

 

 

0 Likes Likes

pulukas
L7 Applicator

‎08-25-2015 03:41 AM

Do you also have the security policies setup betwee zones vlan10 to inside; vlan20 to inside; and inside to outside.

 

You will also need a NAT policy for inside to outside.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes

katavag
L1 Bithead

‎08-27-2015 04:25 AM

What kind of switch do you use?

Is L2 connection brought up?

I notice you are using default management profile on all interfaces. Normaly I would use profile that allows ping only on such interfaces.

Can you ping PA interfaces from switch or laptop connected to one of the switch ports?

If answer is positive to all this, then you will need to have permissive security policy that allows traffic to flow between the zones.

 

 

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite

‎08-27-2015 09:04 AM

Hello,

I ahve done this and it works really well for me. Not saying its the only way of doing it but for my proposes it works.

 

Make the interfaces and subinterfaces layer2

Create layer 3 vlans for the ones that are trunked

Create a zone for each vlan (make sure to add all the rules and nats that you need)

 

I use it because it allwos me to control traffic between the vlans, kind of like a collapsed DMZ.

 

Also if you have a DENY ALL rule at the bottom, it will not allow intrazone traffice so you would need a rule to allow it, i.e. trust<->trust allow.

Hope this helps!

collapsedDMZ.JPG

0 Likes Likes

RCHAIBI
L2 Linker
In response to OtakarKlier

‎09-02-2015 08:38 AM

Hello;

 

Thank you very much for all the respenses. It's ok , the configuration now work in Layer 3 by adding a Nat rules in the Palo Alto Networks from a vlan to outside. 

 

I really appreciate all your helps 

 

Thank you!

0 Likes Likes
  • 3236 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks