Palo Alto Networks Knowledgebase: Getting Started: Layer 3 Subinterfaces

Getting Started: Layer 3 Subinterfaces

51261
Created On 07/18/19 19:25 PM - Last Updated 07/18/19 20:11 PM
Interfaces Layer 3 VLAN PAN-OS
Symptom
Now that your new Palo Alto Networks firewall is up and running, let's look at adding VLAN tags to the mix by creating Layer 3 subinterfaces. Our initial installments in the Get Started series described the first steps after unpacking your firewall and getting it updated and configured in VWire or Layer 3 mode. Check out I've unpacked my firewall, now what? and I've unpacked my firewall and did what you told me, now what? 

There may be several network segments in your organization to segregate user workstations from public web servers. A good way to prevent these networks from communicating with each other is by implementing VLANs on the core switch, preventing hosts located in one VLAN from communicating with hosts in another, without some form of bridge or gateway to connect both virtual networks.



Resolution

 

The first configuration we'll look at builds on where we left off in the previous getting started guide. The firewall has Layer 3 interfaces and we're now going to change the trust interface so it can communicate with a trunked switch interface.

The difference between a regular, or access, switchport configuration and a trunked switchport, is that the access port will not tamper with the Ethernet header with any packets, whereas a trunk port will attach a VLAN tag in the form of a IEEE 802.1Q header to packets. This ensures that packets retain VLAN information outside the switch and should be treated as different LAN networks by the next host receiving these packets.

 

interface GigabitEthernet1/36
 switchport
 switchport access vlan 100
 switchport mode access
 switchport nonegotiate
 spanning-tree portfast

...reconfigure...

interface GigabitEthernet1/36
 switchport
 switchport trunk allowed vlan 100,200
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast

We'll be switching our configuration from a regular interface to tagged subinterfaces.

 

1. Creating subinterfaces

 

The first step is to remove the IP configuration from the physical firewall.

  1. Navigate to the Network tab.
  2. Go to Interfaces on the left pane.
  3. Open the interface configuration.
  4. Navigate to the IPv4 tab.
  5. Select the subnet.
  6. Click Delete.

delete ip

 

We can now go ahead and add a subinterface.

add subinterface

 

In the subinterface configuration, we need to assign an interface number and a tag. The tag needs to match the VLAN exactly, but the interface number may be different. For ease of management, it's best to set it the same id as the VLAN tag. Add the interface to the 'default' Virtual Router and assign it to the 'trust' Security Zone.

 

subinterface

 

Next, navigate to the IPv4 tab and add the IP to the interface.

subinterface IP address

 

Then navigate to the Advanced tab and set the Management Profile to 'ping.'

set subinterface management profile

 

Next, we've added a web server to the network and placed it in VLAN 200 on the switch.

 

2015-10-28_09-43-07.png

So we'll need to add a second subinterface and set it to VLAN tag 200. We'll also create a new Security Zone so we can apply different security policy to it.

subinterface make new zone

 

We'll call the new zone 'dmz'

new zone dmz

 

and assign the interface a different IP subnet

assign subnet to interface

 

and we'll also set the Management Profile to 'ping.'

subinterface management profile

 

Your interface configuration should now look similar to this:

interfaces

 

2. Reconfigure DHCP

 

We will now need to move the DHCP server we created last time to the new subinterface.

  1. Navigate to the Network tab.
  2. Open DHCP menu from the left pane.
  3. Open the DHCP configuration for interface ethernet1/2.
  4. Change the Interface to ethernet1/2.100 to match the new subinterface.

update dhcp settings

 

3. Create a new NAT policy

 

The next step is to create a NAT policy to allow hosts on the internet to reach the webserver via the external IP address of the firewall.

  1. Navigate to the Policies tab.
  2. Open NAT configuration from the left pane.
  3. Click Add to create a new NAT policy.

 

add NAT policy

 

In the Original Packet tab, we set the source and destination zones to untrust, the destination interface to the external interface and the destination address to the external IP address of the firewall. The destination zone is untrust because the firewall will try to determine the destination zone of a received packet based on its routing table. In this case, the original destination IP address, before NAT is applied, belongs to the untrust zone.

original packet

 

In the Translated Packet tab, we add the physical IP address of the webserver.

destination nat

 

4. Add security policy

 

The last step is to create security policies to allow the trust and untrust zone to access the web server.

  1. Navigate to Policies.
  2. Open the Security policies from the left pane.
  3. Click Add to create a new rule and name it access_to_webserver.

add security policy

For now, we'll set the source zone to 'untrust.'

source

 

We'll set the destination to 'dmz' and the destination address to the external IP of the firewall.

destination

 

We'll enable application web-browsing.

web-browsing

 

Enable several security profiles to make sure the webserver is protected from attacks.

action and security profiles

 

Repeat this step for a security policy from the trust zone, so additional applications can be added.

2015-10-28_10-31-46.png

 

In the destination, we'll set Security Zone 'dmz' and the internal IP address of the webserver.

2015-10-28_11-00-29.png

 

Add additional applications for management.

2015-10-28_10-32-55.png

 

Your security policy should now look similar to this:

2015-10-28_11-12-49.png

 

After you commit this new configuration, interface ethernet1/2 will accept 'tagged' packets for VLAN 100 and 200 and the webserver will become available to the outside world.

 

Thank you for readingplease leave any comments in the comment section below.

 

Regards,

Tom

 

If you've enjoyed this article, please also take a look at the follow-up article:

I’ve unpacked my firewall, but where are the logs?



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRkCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language