This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
About Walter_Lees
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About Walter_Lees
01-15-2023
1Post
0Likes
0Solutions
Jan 15, 2023Last Visited
User
Activity
User
Profile
Latest posts by Walter_Lees
| Subject | Views | Posted |
|---|---|---|
| 576 | 11-29-2022 07:12 AM |
User Badges
Community Statistics
| Member Since | 07-14-2021 06:19 AM |
| Date Last Visited | 01-15-2023 02:16 PM |
| Posts | 1 |
02-04-2023
04:30 PM
Hello @ismunandi thanks a lot for your time and for your colaboration.
I confirm that the key point in layer 2 is to create the Network-Vlans and integrate both interfaces in and out ok, this in use of "Layer 2 interfaces" but then vwire with subinterfaces does not support retag or vlan translation? Only interfaces in layer 2? So it is not compatible vlan translation/retag vlan with taged vlan on Vwire with subinterfaces ?
Now a question I saw something similar with a client recently with PortChannel/subinterfaces-interfaces layer 2" It does not happen or does not happen to you that in the traffic-log-monitor, you see both the client to server and server to client flow of the session, the normal thing is only to see the c2s flow, save go to the browser session, but I have seen that the retag or address translation causes this, that you see example (and I do not mean log Star anda end policy) you see of a connection, the normal thing is to see: 10.10.10.10 to 192.168.1.100 SPORT 45650 to SPORT 443. The normal but in environments that I have seen with retag or vlan translation to see both flows in the traffic log is 10.10.10.10 to 192.168.1.100 SPORT 45650 to dport 443 and vice versa 192.168.1.100 to 10.10.10.10 SPORT 443 dport 45650, is the different behavior that I see with retag or vlans translation in production.
I have seen this behavior with Layer 2/Portchannel/Subinterface and applying a Retag/Translation ( Network-VLANs ).
Switch===IN==Subinterfaces VLAN TAG 100,200,300,400 ====PALO-ALTO-FW=====OUT==VLAN TAG 101,201,301,401.
Networks-VLANs: VLAN_100_101: AE1.100 and AE2.101 subinterfaces, VLAN_200_201: AE1.200 and AE2.201 subinterfaces, VLAN_300_301: AE1.300 and AE2.301 subinterfaces, etc.
In this environment with Translation-VLAN-Retag, it happens that in the traffic-monitor log, they look different, which does not happen with routed interface, with vwire or layer 2, without retag, but with retag/translation, as you exemplify this with an existing implementation that already has a client, you see in the traffic logs for a single connection, a single, single connection, where you typically only see 10.10.10.100 to 10.10.100.100 sport:45650 to dport:22, which It is normal to only see the flow from client to server, but in this case with retag you see a single connection, you see both flows in the traffic log (not session browser, I mean log traffic monitor), that is, you see c2s flow: 10.10.10.100 to 10.10.100.100 sport:45650 to dport:22 and also the s2c flow 10.10.100.100 sport:22 to 45650. This topic really has me very confused, because normally in the traffic log you only see how I say the flow c2s, but with ambient retag you see cs2/s2c.
Examples:
Thanks a lot
Cheers
@ismunandi
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-15-2023
02:16 PM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks