VLAN Insertion and subinterface - VLAN1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

VLAN Insertion and subinterface - VLAN1

L0 Member

Hi, I'm new to the community and am trying to assist a customer as they work on a PAN and SW integration for an industrial setup. Customer has setup a L2 network between different industrial devices that seat in different VLANs and are all connected through a L2 HPE Switch. This switch has all 3-4 VLAN's in a trunk to a Palo Alto firewall using Layer 2 sub interfaces in the firewall side. There is a feature called VLAN insertion which I believe is what customer has been using to provide this L2 integration. 

 

The issue here seems to be with VLAN 1 communication with the other VLANs part of this environment. VLAN 1 is also trunked and configured as a subinterface in the firewall side.

Switch works in a L2 mode and it has a single L3 interface under VLAN1 which is also used for management. I'm curious to understand how the VLAN insertion works in a L2 environment to see if either having an IP on VLAN 1 at the switch side would be causing any issues on the traffic back from SW to PAN? If customer deletes the IP from VLAN 1 and configure an IP for one of the other VLANs, the issue now moves to this latest VLAN.

We are not talking L3 at the moment and the PAN should support the L2 communication through the L2 interfaces but I'm looking for more clarification on the feature and if somebody run into a similar scenario? 

Does VLAN 1 requires a subinterface at the Firewall configuration or as being a default VLAN this is not required? VLAN 1 is required due to some hypervisors and SW has to have at least one IP to be managed.

 

3 REPLIES 3

Cyber Elite
Cyber Elite

hi @rbartholomeu  are you encountering an issue or just curious about vlan insertion?

 

vlan insertion basically makes the firewall a bridge between multiple vlans without needing to take spanning tree into account; You set up multiple layer2 subinterfaces, assign them a zone and then create security rules between those zones. The firewall is then able to pass sessions along from one vlan to the next

 

vlan1 can be tricky as some switches consider this a privileged vlan, and handle it differently from other vlan tags: it could be that vlan1 is sent onto a trunk untagged in which case you would need to configure the physical interface to account for this vlan, instead of a tagged sub interface

 

 

hope this helps

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks for the explanation, Tom.

 

Yes, we are having an issue with VLAN 1 communicating with the other VLANs through the subinterfaces in this L2 setup. As I mentioned, the L2 HPE Switch has an IP for VLAN 1 which is also used for management. If we transfer/create an IP in a different VLAN part of the setup and remove the IP address from VLAN 1 from the L2 switch, VLAN 1 now works and the problem moves over to the new VLAN that has an IP address.

 

It seems weird as this is a  simple L2 setup and like you mentioned, the firewall is bridging between these different VLANs. VLAN 1 is part of the trunk (tagged) and it has a subinterface defined. STP, loop protection, firewall rules are all taken care of to remove any possible communication issues.

We'll do a packet trace in the uplink interface and maybe a slight change at the trunk to also allow VLAN1 untagged but not sure if this last move would bring any improvements though. 

L1 Bithead

You may please check the native VLAN configuration and tweak as required. Pleaserefer below:

"To support the PVST+ BPDU rewrite feature, PAN-OS supports the concept of a PVST+ native VLAN. Frames sent to and received from a native VLAN are untagged with a PVID equal to the native VLAN. All switches and firewalls in the same Layer 2 deployment must have the same native VLAN for PVST+ to function properly. Although the Cisco native VLAN defaults to vlan1, the VLAN ID could be a number other than 1."

 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/configure-interfaces/layer-2-in... 

  • 5617 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!