Palo Alto Firewall: How config VLAN Interface

1. The purpose of the article

In this article, techbast will guide you to configure VLAN Interface on Palo Alto firewall device.

To better understand what the vlan interface is and how it is used, we will go through section 2.

2. What is VLAN interface and what is it for?

Palo Alto vlan interface has a concept similar to Birgde Port, Group Port, is a virtual port to group from 2 or more interfaces into a single port with the same number of connections as the number of ports added.

It will be different from Port-Channel or Link Aggregation, for these ports it will group many ports together and provide a single connection.

We often use Interface VLANs for the purpose of expanding the connectivity of devices while ensuring those devices remain in the same DHCP.

For example you have a firewall device to port 1 Palo Alto configured DHCP allocation range is 192.168.1.2-100 / 24. Thus, when devices plugged into this port, it will receive IP from the assigned DHCP array.

But suddenly one day you want to add a device to port 2 and still want that device to receive the same IP as port 1, the VLAN Interface will help you do that.

Techbast has prepared a diagram, situation, steps to do and how to configure we will go to the next section.

3. Diagram

Details:

  • First we will have an internet connection that is connected through the ISP’s modem which is configured in bridge mode and configured PPPoE on the MGMT port of the Palo Alto firewall with IP 113.161.x.x.
  • Next in the lan area a VLAN interface has added 2 ports, port 1 and port 2 created with IP 10.0.0.1/24.
  • A DHCP Server was created on this Interface VLAN with IP ranges from 10.0.0.2/24 to 10.0.0.100/24.
  • Finally, two computers with PC 1 are connected to port 1 of the Palo Alto device and PC 2 is connected to port 2 of the Palo Alto device.

4.Scenario

As you can see on the diagram we will configure Interface VLAN so that 2 computers PC 1 and PC 2 even though connected to 2 different ports still get the same IP of class 10.0.0.0/24.

5.What to do

  • Create Zone
  • Configure interface ethernet1/1 và Ethernet1/2
  • Create VLAN Interface
  • Add ethernet1/1 và ethernet1/2 to VLAN Interface
  • Create Virtual Router
  • Create DHCP Server for VLAN Interface
  • Result

6.Configuration

6.1. Create Zone

Firstly we need to create zones for interfaces, here we create 2 zone Trust-Player2 và Trust-Player3.

To create zone go to Network > Zones > Click Add.

Create zone Trust-Player2 with the following information:

  • Name: Trust-Player2
  • Type: Layer2
  • Click OK to save.

Create zone Trust-Player3 with the following information:

  • Name: Trust-Player3
  • Type: Layer3
  • Click OK to save

Click Commit and click OK to save the changed configurations.

6.2. Configure interface ethernet1/1 và ethernet1/2

To configure interfaces go to Networks > Interfaces > Ethernet.

Click on the name of interface ethernet1/1 and configure with the following information:

  • Interface Type: Layer2
  • Click OK to save

Similarly click on the name of interface ethernet1/2 and configure the following information:

  • Interface Type: Layer2
  • Click OK to save

Click Commit and click OK to save the changed configurations.

6.3. Create VLAN Interfaces

To create VLAN Interface go to Network > Interfaces > VLAN.

Click on the vlan interface name available and configure the following parameters:

Tab Config:

  • Security Zone: Trust-Player3

Tab IPv4:

  • Type: select Static
  • Click Add and enter IP address 10.0.0.1/24.

Click OK to save

Click Commit and click OK to save the configuration changes.

6.4. Add ethernet1/1 and ethernet1/2 to VLAN Interface

To add go to Network > VLANs.

Click Add and configure the following information:

  • Name: VLAN_Interface
  • VLAN Interface: Select the VLAN port you configured in step 6.3.
  • In the Interfaces panel: click Add and select 2 ports ethernet1 / 1 and ethernet1 / 2
  • Click OK to save

Click Commit and click OK to save the configuration changes

6.5. Create Virtual Router

We need to create a Virtual Router and add vlan interface to create a DHCP Server for the VLAN interface.

To create a Virtual Router we go to Network> Virtual Routers.

Click Add and create the following information.

Tab Router Settings:

  • Name: VR1
  • Interface panel: Click Add and select the vlan interface.
  • Click OK to save.

Click Commit and click OK to save the configuration changes.

6.6. Create DHCP Server for VLAN Interface

The last step is to create a DHCP Server for the VLAN Interface so that when the device plugs into this port, it will receive the assigned IP.

To create go to Network> DHCP.

Click Add and configure the following parameters.

Tab Lease:

  • Interface: select vlan
  • IP Pools panel: Click Add and enter the range of IP to allocate.

Tab Options:

  • Gateway: Enter the IP of the vlan interface to be 10.0.0.1.
  • Subnet mask: 255.255.255.0
  • Primary DNS: You can enter internal DNS if any, here I enter Google DNS.
  • Secondary DNS: Similar to Primary DNS.

6.6. Result

We will connect the PC1 device to the ethernet1/1 port and the PC2 device to the ethernet1/2 port.

As a result, both PC1 and PC2 devices receive IP assigned from the DHCP Server created for the VLAN Interface with IP 10.0.0.2 and 10.0.0.3, respectively, in the situation that we have stated as PC1 and PC2 all get IPs that belong to the same network layer.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.