cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

VLAN with Palo Alto Networks PA-500

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
RCHAIBI
L2 Linker
‎10-15-2015 02:32 AM
‎10-15-2015 02:32 AM

VLAN with Palo Alto Networks PA-500

Hello,

 

We need to set up a VLANS in the office with the PA-500 but we don't like to change our address. It's possible to configure a VLANs with MAC address or protocole with PA-500?

Thanks 

0 Likes
Reply
_slv_
L4 Transporter
‎10-15-2015 02:47 AM
‎10-15-2015 02:47 AM

Hello

 

Did You read this https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-L3-Untagged-Subinterfac... ?

 

>It's possible to configure a VLANs with MAC address or protocole with PA-500?

 

Could You be more specific?

 

 

Regards

Slawek

0 Likes
Reply
reaper
L7 Applicator
‎10-15-2015 04:32 AM
‎10-15-2015 04:32 AM

Hi there

 

To enable vlan tags you should not be required to change IP addressing

 

assuming you start off with a simple L3 interface (let's say eth1/2) with ip range 192.168.0.0/24 which you want to move into vlan 10 it would suffice to take the following steps to make it work:

 

  • delete the ip configuration from eth1/2
  • create a l3 subinterface to eth1/2 and set the tag to 10,
  • assign it the appropriate zone and add it to the same virtual router
  • add the ip range to eth1/2.10
  • set the switch port from access to trunk and enable vlan10
  • commit the firewall
  • save/commit the switch

repeat the above process for all the vlans you want to split off, tagging each subinterface with the vlan you want to use

 

 

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
Reply
RCHAIBI
L2 Linker
‎10-15-2015 06:19 AM
‎10-15-2015 06:19 AM

Hi,

Thank you very much for your response !

@_slv_ Yes, I read this document and want to use the mac address for not change the ip address range in our office.

@reaper Yes , I do this for the IT departments . I follow all this steps and I put the employees in the VLAN10. But for the HR departments I want to use other vlan 11 without change the IP address. It's possible to do the segmentation of the network with the mac address or the protocol ?? . Can you please help me for this 

 

Thank you very much for your cooperation 

0 Likes
Reply
reaper
L7 Applicator
‎10-15-2015 06:31 AM
‎10-15-2015 06:31 AM

ok, so all your users are located in the same subnet

 

on a larger platform you could enable Virtual Systems and have the 2 vlans on  a different virtual instance. on a PA-500 unfortunately that is not supported, so you will probably need to segment your subnet into smaller parts to have the least impact.

 

we can't split that up based on MAC or protocol

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
0 Likes
Reply
Raido
L7 Applicator
‎10-15-2015 06:32 AM
‎10-15-2015 06:32 AM

Can you explain more what is your goal?

You can allow or block traffic based on source ip or source user.

Palo can't throw packets into diferent vlans based on soure mac address.

 

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
0 Likes
Reply
RCHAIBI
L2 Linker
‎10-15-2015 06:43 AM
‎10-15-2015 06:43 AM

Hi, 

@reaper Thank you very much for your response !

 

@Raido : the Goal is to do the segmentation of the network without change the ip address range . I want for exemple to do the segmentation based on MAC address of protocole .

0 Likes
Reply
Gertjan-HFG
L3 Networker
‎10-15-2015 07:08 AM
‎10-15-2015 07:08 AM

Hi,

 

Its possible: put departments in different vlan's and use vwires between the vlan's to connect them.

0 Likes
Reply
Raido
L7 Applicator
‎10-15-2015 07:09 AM
‎10-15-2015 07:09 AM

If you really want then you can configure firewall on Layer 2 also with Palo. Then it works as a switch. You have Layer 2 zones and you can create rules between them. All machines can be in same ip range.

In this case no need to change ip addresses.

You never design this from scratch but if environment is place then it can be used as workaround.

 

Throwing out google search link so you can check if this is something you need.

https://www.google.ie/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=palo+alto+networks+firew...

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
0 Likes
Reply
RCHAIBI
L2 Linker
‎10-15-2015 07:25 AM
‎10-15-2015 07:25 AM

hi,

@Gertjan-HFG can you please explain more what i have doing ?

@Raido the only solution that i find it is to to the segmentation with ip address with subinterfaces and add the necessary tags for the vlan and in the switch i should configure a trunk port . I  should in this way change the ip address range :( 

I don't know what should i do to realease my goal ?. how should i use PA-500 in L3 and L2 mode to do the segmentation without changing the ip address range ?? 

 

Thank you for all your helps

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks