Palo Alto Networks: How to configure VLAN Trunking

1. Mục đích bài viết

This article will guide you on how to configure VLAN trunking on Palo Alto devices in combination with the switch to suit multi-VLAN systems.

2. Diagram

Details:

The diagram shows the Palo Alto PA-220 firewall device connected through ethernet1/1 interface by PPPoE protocol with IP 14.169.x.x.

Next, we have an ethernet1/6 port connected to the Gi0/2 port, a trunking line between the Palo Alto firewall device and Switch Cisco 2960.

From the Cisco 2960 switch, we will have port 3 of VLAN 1 that allocates IP of network 172.16.20.0/24 connected to PC 1.

We have port 1 of VLAN 20 that allocates IP of network 172.16.30.0/24 connected to PC 2.

Port 2 of VLAN 20 that allocates IP of network 172.16.40.0/24 connected to PC 3

3.Configuration situations

We will configure VLAN Trunking on the ethernet1/6 and switch cisco so that when PCs 1,2,3 connected to the ports as shown in the diagram will receive the correct IP from the corresponding network.

4. Configuration steps

  • Configure IP for ethernet1/6 port
  • Configure subinterface for ethernet1/6 port
  • Create Virtual Routers
  • Create DHCP for ethernet1/6 and subinterfaces port
  • Configure VLAN on Cisco Switch
  • Assign ports to VLAN
  • Configure Trunking for Gi0/2 port
  • Check the result

5. Configuration

5.1. Configure IP for ethernet1/6

To configure IP for ethernet1/6 interface go to Network > Interface > Click on interface name.

Configuration table will appear we configure according to the following information.

Tab Config:

  • Interface Type: Layer3
  • Security Zone: LAN

Tab IPv4:

  • Type: Select Static
  • Click Add IP table and enter IP of the interface 172.16.20.1/24
  • Click OK to save.

Click Commit to save the configuration changes.

5.2. Configure subinterfaces for ethernet1/6 port

To configure subinterfaces go to Network > Interfaces.

Press on ethernet1/6 and click Add Subinterfaces.

The configuration table will appear, we will configure 2 VLANs with the following information:

VLAN 30 tab Config:

  • Interface Name: ethernet1/6.30
  • Tag: 30
  • Security Zone: LAN

VLAN 30 tab IPv4:

  • Type: Static
  • Click Add in IP table and enter IP of subinterface 172.16.30.1/24
  • Click OK to save.

VLAN 40 tab Config:

  • Interface Name: ethernet1/6.40
  • Tag: 40
  • Security Zone: LAN

VLAN 40 tab IPv4:

  • Type: Static
  • Click Add in IP table and enter IP of subinterface 172.16.40.1/24
  • Click OK to save.

So we have successfully created subinterfaces for port ethernet1/6.

5.3. Create Virtual Routers

To create Virtual Routers go to Network > Virtual Routers

Click Add and configure the following information.

Tab Router Setting:

  • In the General table, click Add and add 3 interfaces ethernet1/6, ethernet1/6.30, ethernet1/6.40.
  • Click OK to save.

Click Commit to save the configuration changes.

5.4. Create DHCP Server for ethernet1/6 and subinterfaces port

To create DHCP go to Network > DHCP.

Click Add and configure DHCP for ethernet1/6 port according to the following parameters.

Tab Lease:

  • Interface: select ethernet1/6
  • Mode: enabled
  • Lease: Unlimited
  • IP Pools: Click Add and enter the assigned IP range 172.16.20.2-172.16.20.100

Tab Options:

  • Gateway: 172.16.20.1
  • Subnet Mask: 255.255.255.0
  • Primary DNS: 8.8.8.8
  • Secondary DNS: 8.8.4.4
  • Click OK to save

Click Add and configure DHCP for the subinterfaces ethernet1/6.30 according to the following parameter.

Tab Lease:

  • Interface: select ethernet1/6.30
  • Mode: enabled
  • Lease: Unlimited
  • IP Pools: Click Add and enter the assigned IP range 172.16.30.2-172.16.30.100

Tab Options:

  • Gateway: 172.16.30.1
  • Subnet Mask: 255.255.255.0
  • Primary DNS: 8.8.8.8
  • Secondary DNS: 8.8.4.4
  • Click OK to save

Click Add and configure DHCP for the subinterfaces ethernet1/6.40 according the following parameter

Tab Lease:

  • Interface: chọn ethernet1/6.40
  • Mode: enabled
  • Lease: Unlimited
  • IP Pools: Click Add and enter the assigned IP range 172.16.40.2-172.16.40.100

Tab Options:

  • Gateway: 172.16.40.1
  • Subnet Mask: 255.255.255.0
  • Primary DNS: 8.8.8.8
  • Secondary DNS: 8.8.4.4
  • Click OK to save

Now that we have successfully configured the DHCP ports.

Click Commit to save configuration changes.

5.5. Configure VLAN on Switch Cisco

First, I will show you that all of the current ports are in VLAN 1.

To configure VLAN on the Cisco switch, you need to connect to the switch by console wire and use Putty software to access.

After accessing you to mode config and type the following command.

To create VLAN 30, type vlan 30 and press enter now vlan 30 has been successfully created, press exit and type vlan 40 to create VLAN 40.

To check if the vlan is created, you can type the command show vlan to see.

5.6. Assign ports to VLAN

To assign port to VLAN you need to do the following.

According to the diagram, port 3 is currently in VLAN 1, so we do not need to configure this port 3.

We will configure port 1 to vlan 30 and port 2 to vlan 40.

We will configure port 1 to vlan 30 using the following command:

  • Access to config mode and enter the command interface FastEthernet0/1 to enter this port
  • Type switchport access vlan 30 to assign this port to VLAN 30.

Similar to port 1, we will configure port 2 as follows.

  • Access to config mode and enter the command interface FastEthernet0/2 to enter this port
  • Type switchport access vlan 40 to assign this port to VLAN 30.

To check if the ports are assigned, enter the command show vlan.

5.7. Configure trunking

According to the diagram, the port Gi0/2 will be the port trunking.

To configure trunking we need to go to config mode and enter the command interface GigabitEthernet 0/2 to enter this port.

Next, enter the command switchport mode trunk to configure this port to be a port trunk.

To check if this port is in trunking mode after configuration, enter show running-config command to see.

5.8. Check the result

Finally, we will connect 3 PC devices 1,2,3 to 3 ports 1,2,3 respectively.

The result of PC 1 when connecting to port 1 vlan 30 received the IP allocated in network class 172.16.30.0/24 from the Palo Alto device, exactly like the vlan configuration we did earlier.

PC 2 when connecting to port 2 vlan 40 received the allocated IP of network class 172.16.40.0/24 from the Palo Alto device.

Finally, PC 3 connecting to port 3 running vlan 1 will get network class IP 172.16.20.0/24 from the Palo Alto device.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.