Getting Started-Layer 3 Subinterfaces

1/17/2019 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?
id=kA10g000000ClRkCAK
GETTING STARTED: LAYER 3 SUBINTERFACES

Created On 09/25/18 18:55 PM - Last Updated 09/25/18 23:11 PM
Resolution
I'VE UNPACKED MY FIREWALL AND WANT TO CONFIGURE VLANS — SUBINTERFACES
9329
Now that your new Palo Alto Networks rewall is up and running, let's look at adding VLAN tags to the mix by creating Layer 3 subinterfaces. Our initial installments in the Get Started series described the
rst steps after unpacking your rewall and getting it updated and con gured in VWire or Layer 3 mode. Check out I've unpacked my rewall, now what? and I've unpacked my rewall and did what you
told me, now what?
There may be several network segments in your organization to segregate user workstations from public webservers. A good way to prevent these networks from communicating with each other is by
implementing VLANs on the core switch, preventing hosts located in one VLAN from communicating with hosts in another, without some form of bridge or gateway to connect both virtual networks.
The rst con guration we'll look at builds on where we left off in the previous getting started guide. The rewall has Layer 3 interfaces and we're now going to change the trust interface so it can
communicate with a trunked switch interface.
The difference between a regular, or access, switchport con guration and a trunked switchport, is that the access port will not tamper with the Ethernet header with any packets, whereas a trunk port will
attach a VLAN tag in the form of a IEEE 802.1Q header to packets. This ensures that packets retain VLAN information outside the switch and should be treated as different LAN networks by the next host
receiving these packets.
interface GigabitEthernet1/36
switchport
switchport access vlan 100
switchport mode access
switchport nonegotiate
spanning-tree portfast
...reconfigure...
interface GigabitEthernet1/36
switchport
switchport trunk allowed vlan 100,200
switchport mode trunk
switchport nonegotiate
spanning-tree portfast
We'll be switching our con guration from a regular interface to tagged subinterfaces.
1. Creating subinterfaces
The rst step is to remove the IP con guration from the physical rewall.
1. Navigate to the Network tab.

2. Go to Interfaces on the left pane.
3. Open the interface con guration.
4. Navigate to the IPv4 tab.
5. Select the subnet.
6. Click Delete.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRkCAK 1/8
1/17/2019 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRkCAK
We can now go ahead and add a subinterface.
In the subinterface con guration, we need to assign an interface number and a tag. The tag needs to match the VLAN exactly, but the interface number may be different. For ease of management, it's best
to set it the same id as the VLAN tag. Add the interfaceto the 'default' Virtual Router and assign it to the 'trust' Security Zone.
Next, navigate to the IPv4 tab and add the IP to the interface.
Then navigate to the Advanced tab and set the Management Pro le to 'ping.'
Next, we've added a webserver to the network and placed it in VLAN 200 on the switch.
So we'll need to add a second subinterface and set it to VLAN tag 200. We'll also create a new Security Zone so we can apply different security policy to it.
We'll call the new zone 'dmz'
and assign the interface a different IP subnet
and we'll also set the Management Pro le to 'ping.'
Your interface con guration should now look similar to this:
2. Recon gure DHCP
We will now need to move the DHCP server we created last time to the new subinterface.
1. Navigate to the Network tab.
2. Open DHCP menu from the left pane.
3. Open the DHCP con guration for interface ethernet1/2.
4. Change the Interface to ethernet1/2.100 to match the new subinterface.
3. Create a new NAT policy
The next step is to create a NAT policy to allow hosts on the internet to reach the webserver via the external IP address of the rewall.
1. Navigate to the Policies tab.

2. Open NAT con guration from the left pane.
3. Click Add to create a new NAT policy.
In the Original Packet tab, we set the source and destination zones to untrust, and the destination address to the external IP address of the rewall. The destination zone is untrust because the rewall will
try to determine the destination zone of a received packet based on its routing table. In this case, the original destination IP address, before NAT is applied, belongs to the untrust zone.
In the Translated Packet tab, we add the physical IP addres of the webserver.
4. Add security policy
The last step is to create security policies to allow the trust and untrust zone to access the webserver.
1. Navigate to Policies.
2. Open the Security policies from the left pane.
3. Click Add to create a new rule and name it access_to_webserver.
For now, we'll set the source zone to 'untrust.'
We'll set the destination to 'dmz' and the destination address to the external IP of the rewall.
We'll enable application web-browsing.
Enable several security pro les to make sure the webserver is protected from attacks.
Repeat this step for a security policy from the trust zone, so additional applications can be added.
In the destination, we'll set Security Zone 'dmz' and the internal IP address of the webserver.
Add additional applications for management.
Your security policy should now look similar to this:
After you commit this new con guration, interface ethernet1/2 will accept 'tagged' packets for VLAN 100 and 200 and the webserver will become available to the outside world.
Thank you for reading—please leave any comments in the comment section below.
Regards,
Tom
If you've enjoyed this article, please also take a look at the follow-up article:
I’ve unpacked my rewall, but where are the logs?
Attachments

Getting Started-Layer 3 Subinterfaces

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Getting Started-Layer 3 Subinterfaces

Uploaded by

Copyright:

Available Formats

1/17/2019 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?

GETTING STARTED: LAYER 3 SUBINTERFACES

1. Navigate to the Network tab.

We can now go ahead and add a subinterface.

We'll call the new zone 'dmz'

and assign the interface a different IP subnet

and we'll also set the Management Pro le to 'ping.'

Your interface con guration should now look similar to this:

2. Recon gure DHCP

1. Navigate to the Network tab.

3. Create a new NAT policy

1. Navigate to the Policies tab.

For now, we'll set the source zone to 'untrust.'

We'll enable application web-browsing.

Add additional applications for management.

Your security policy should now look similar to this:

I’ve unpacked my rewall, but where are the logs?

You might also like