This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

What's The Difference Between Interface VLANs Tab and VLANS Section In Sidebar? (PA-220)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

What's The Difference Between Interface VLANs Tab and VLANS Section In Sidebar? (PA-220)

Go to solution
DSzymanski
L0 Member

‎06-14-2018 06:16 AM

Hi all,

 

I'm confused as to what the difference is between the "VLAN" tab under "Interfaces" in "Network and the "VLANs" section in the sidebar in "Network"? My goal is to create a couple of different VLANs for a network where certain traffic has to be segmented from other traffic. All of my ports are operating on L3.

 

Thanks!

0 Likes Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
BPry
Cyber Elite
Cyber Elite

‎06-14-2018 08:40 AM

@DSzymanski,

So if we look at your stated goal you don't actually need to be configuring VLAN objects or VLAN interfaces at all, because you already have all the ports operation on Layer3. In this situation what you would do is the following. 

1) Configure a 'Trunk' port on the switch that connects to the firewall via one of those Layer3 interfaces that you have configured. Allow whatever VLANs you want on that Trunk port. 

2) Create subinterfaces on the Layer3 interface that is connected to the Trunk port and properly setup the 'Tag' value to match the VLAN that has been configured on the switch. 

3) Assign the Default-Gateway IP of the VLAN to the subinterface associated with that VLAN. 

4) Assign the subinterface whatever Security Zone you want on the firewall. If you are looking to segment traffic you may have a 'Server' 'Client' 'Internal' or whatever zone that you configure depending on what you are segmenting in the VLANs. 

5) Update the security policy so that this new configuration is taken into account. 

6) Update any routing statements that need to be made. 

View solution in original post

7 REPLIES 7

Go to solution
BPry
Cyber Elite
Cyber Elite

‎06-14-2018 06:48 AM

@DSzymanski,

The VLAN listing directly under the Network tab is where you essentially configure the common name of the VLAN that you want to setup along with any static MAC config that you need. The VLAN interface configureation is where you are actually going to setup the interface tag, assign the VLAN you configured earlier to the VLAN interface, assign the interface to the virtual router and security zone and give the VLAN interface it's IP address. 

Go to solution
DSzymanski
L0 Member
In response to BPry

‎06-14-2018 07:00 AM

Hey BPry,

 

Thanks so much for getting back to me. Just one more question for you if you don't mind. What is the purpose of assigning an IP address to the VLAN interface? Shouldn't it just use the IP address I have specified for the subinterface by default?

 

Thanks again for taking the time. I greatly appreciate it!

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to DSzymanski

‎06-14-2018 07:32 AM

@DSzymanski,

 

Depending on your LAN routing you could assign the default gateway of the VLAN as the VLAN interface IP and no matter what path is up the gateway would be assessible. So the interface on the firewall may be assigned 10.191.132.2 and another interface might be 10.191.132.3, since the VLAN interface is acting as the gateway it doesn't matter if one of the interfaces go down. 

 

Now if you only have 1 interface acting as a 'Trunk' so to speak it doesn't matter what you do here because you won't see a benefit of assigning the VLAN interface as the gateway as if that 'Trunk' interface ever loses connection you still won't have a path to the gateway. In this scenario you mise as well assign the gateway ip to the interface in question instead of the VLAN interface. 

Go to solution
DSzymanski
L0 Member
In response to BPry

‎06-14-2018 07:43 AM

So are you saying then that it is possible to create the VLANs without assigning them an IP? Or is it required that they have an IP? What I'm getting from your previous response is that the VLAN relies on the interface IP address anyway and therefore it is optional whether or not I want to assign an IP address to the VLAN. Is this correct?

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks