04-04-2018 10:31 PM - edited 04-04-2018 10:39 PM
Hi,
As described in following links we've configured multiple untagged sub interfaces all assigned to different vsys (different virtual routers and different zones) but with different IPs from the same network and the same VLAN:
https://live.paloaltonetworks.com/t5/Learning-Articles/Untagged-Subinterfaces-L3/ta-p/55942
Example:
eth1, IP: none, tag: none, vsys: 1, zone: none, virtual router: none
--- eth1.1, IP: 192.168.0.10/24, tag: none, vsys: 2, zone: Zone-2, virtual router: VR-2
--- eth1.2, IP: 192.168.0.11/24, tag: none, vsys: 3, zone: Zone-3, virtual router: VR-3
The interface IPs 192.168.0.10 and 192.168.0.11 are pingable but traffic through the firewall won't be processed.
The same problem was described in following thread:
https://live.paloaltonetworks.com/t5/General-Topics/Multiple-Zones-with-one-VLAN/m-p/100851#M44302
Unfortunately I don't understand why this does not work. Would somebody please explain this?
Thanks,
Denis
04-06-2018 04:32 AM
VLAN tag is what detemines which packet goes to which logical interface on same physical interface. Without it FW can't know which packet to put where.
04-05-2018 06:32 AM
This really isn't how this is supposed to function and you cannot use untagged frames for all the sub-interfaces. Subinterfaces really are meant to connect multiple VLANs onto a single physical port, similar to how you would setup a single trunk port but use it to pass multiple VLANs. The biggest issue that you have here is that if you have everything untagged the switch and the firewall doesn't really understand what it's supposed to do with the traffic.
Can you say what you're actually attempting to accomplish with your setup? There may be a better solution that we can recommend to get things working correctly.
04-05-2018 06:40 AM
Thanks for your answer.
From our production network (e.g. 10.0.0.0/24) we'd like to connect to different DMZs which are protected by different vsys.
Example:
vsys 1 - internal IP in production network: 10.0.0.10/24
vsys 2 - internal IP in production network: 10.0.0.11/24
We'd like to trunk those two connections via one cable from the production network to the Palo device. If we would use a seperate VLAN for both vsys in between the production network and the Palo device it would require a major reconfiguration of our network infrastructure.
Regards,
Denis
04-06-2018 04:32 AM
VLAN tag is what detemines which packet goes to which logical interface on same physical interface. Without it FW can't know which packet to put where.
04-08-2018 11:17 PM
But the logical interfaces are also identified by a unique IP address. I don't understand why this is not enough to assign traffic to a specific logical interface.
04-08-2018 11:54 PM
The packet doesn't even get picked by routing process (virtual router) as PA can't even assign which vsys will handle it.
What are you trying to achieve? Why exactly do you need different vsys for those DMZs? And if you already need different vsys why are you using same network for both? Accessing both DMZs in your current configuration will not be an easy task, you will need host routes on clients.
04-09-2018 05:20 AM
Ok - I've realized that I cannot use untagged sub interfaces in my specific scenario.
Untagged sub interfaces are only for a specific scenario described in the links in my original post - beside this specific scenario untagged sub interfaces won't work. I will use tagged sub interfaces and different VLANs to communicate with the different vsys.
Thanks for your help.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
