Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-27-2020 02:14 PM
Hi, I'm new to the community and am trying to assist a customer as they work on a PAN and SW integration for an industrial setup. Customer has setup a L2 network between different industrial devices that seat in different VLANs and are all connected through a L2 HPE Switch. This switch has all 3-4 VLAN's in a trunk to a Palo Alto firewall using Layer 2 sub interfaces in the firewall side. There is a feature called VLAN insertion which I believe is what customer has been using to provide this L2 integration.
The issue here seems to be with VLAN 1 communication with the other VLANs part of this environment. VLAN 1 is also trunked and configured as a subinterface in the firewall side.
Switch works in a L2 mode and it has a single L3 interface under VLAN1 which is also used for management. I'm curious to understand how the VLAN insertion works in a L2 environment to see if either having an IP on VLAN 1 at the switch side would be causing any issues on the traffic back from SW to PAN? If customer deletes the IP from VLAN 1 and configure an IP for one of the other VLANs, the issue now moves to this latest VLAN.
We are not talking L3 at the moment and the PAN should support the L2 communication through the L2 interfaces but I'm looking for more clarification on the feature and if somebody run into a similar scenario?
Does VLAN 1 requires a subinterface at the Firewall configuration or as being a default VLAN this is not required? VLAN 1 is required due to some hypervisors and SW has to have at least one IP to be managed.
08-28-2020 03:42 AM
hi @rbartholomeu are you encountering an issue or just curious about vlan insertion?
vlan insertion basically makes the firewall a bridge between multiple vlans without needing to take spanning tree into account; You set up multiple layer2 subinterfaces, assign them a zone and then create security rules between those zones. The firewall is then able to pass sessions along from one vlan to the next
vlan1 can be tricky as some switches consider this a privileged vlan, and handle it differently from other vlan tags: it could be that vlan1 is sent onto a trunk untagged in which case you would need to configure the physical interface to account for this vlan, instead of a tagged sub interface
hope this helps
08-28-2020 07:06 AM
Thanks for the explanation, Tom.
Yes, we are having an issue with VLAN 1 communicating with the other VLANs through the subinterfaces in this L2 setup. As I mentioned, the L2 HPE Switch has an IP for VLAN 1 which is also used for management. If we transfer/create an IP in a different VLAN part of the setup and remove the IP address from VLAN 1 from the L2 switch, VLAN 1 now works and the problem moves over to the new VLAN that has an IP address.
It seems weird as this is a simple L2 setup and like you mentioned, the firewall is bridging between these different VLANs. VLAN 1 is part of the trunk (tagged) and it has a subinterface defined. STP, loop protection, firewall rules are all taken care of to remove any possible communication issues.
We'll do a packet trace in the uplink interface and maybe a slight change at the trunk to also allow VLAN1 untagged but not sure if this last move would bring any improvements though.
10-05-2021 01:43 PM
You may please check the native VLAN configuration and tweak as required. Pleaserefer below:
"To support the PVST+ BPDU rewrite feature, PAN-OS supports the concept of a PVST+ native VLAN. Frames sent to and received from a native VLAN are untagged with a PVID equal to the native VLAN. All switches and firewalls in the same Layer 2 deployment must have the same native VLAN for PVST+ to function properly. Although the Cisco native VLAN defaults to vlan1, the VLAN ID could be a number other than 1."
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
