vLAN clarification & help

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

vLAN clarification & help

L3 Networker

At my place of employment we've implemented a couple PAN-2020s in HA and have defined about 6 to 8 networks 1 attached to 1 physical port in a L3 configuration. We have cables running to a switch that each are untagged with different vLAN ID's (LAN = Default_VLAN, DMZ = DMZ_VLAN, etc). The vLAN'ing is done on the switch (HP ProCurve 2810-48G) and other ports are tagged and represented to VMware hosts.

PAN --> HP 2810-48G ==< VMware HOSTs

I have a few open ports, but am needing to create about 3 more networks to use and have quickly run out of physical ports.

For those of you who have done this, or any PAN techs helping out here, what is the best practice for implementing vLANS in this type of environment.  I've seen some example of L2 configurations as well as L3 and I am a bit confused on what is best.

What is the best way to make a handful of physical ports aggregate  on the firewall to present those vLANs to the switches, and then to the VMware hosts without doing that over just one cable? Do I need to configure the vLANs on the switch as well and tag those ports?

I realize these are a lot of questions - unfortunately the project was escalated a few months ago and I did not get sufficient time to design this out, so it's made it hard to design well, and I have some opportunity to implement changes before this environment goes 100% into production. So I don't have quite the liberty to test this out. Smiley Sad

Am I on the right track with this document?

Thanks for all your help!

5 REPLIES 5

L5 Sessionator

For terminating multiple VLANs on the same physical interface, multiple tagged sub-interfaces should be created

refer :

https://live.paloaltonetworks.com/docs/DOC-1805

-Ameya

Can you aggregate these across interfaces?

Per this discussion: can you set one of the sub interfaces to have the route while all the others are just tagged?

For example:

eth1/8.8 10.55.1.1/24

eth1/9.8 - blank -?

Yeah,this configuration was accepted by the firewall.

PFA

VLaN-tag.GIF

-Ameya

I had one additional question pertaining to this initial question. 

So within my network, I have setup all the VLANs on L3 interfaces, with no networks defined (untagged) - everything works great.  However, when I define a network on another L3 interface, without any VLANing all my networking goes crazy. The reason I am needing to do this is because some devices that have management interfaces (like our SAN, PAN FWs, and KVM) does not support vlan tagging on their interfaces.  But since I can't specify a network on the default vlan L3 interface, I am now unable to manage these devices (without buying another switch. So my question was, can I create another virtual router and setup a L3 interface with the untagged vlan and network (a management network of sorts) present that to the default vlan on my switch, to manage such devices and then just route traffic between the to VRs? Does that make sense.  Anyone else run into this before?

  • 4213 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!