How to configure the Inter-VLAN Routing model with Sophos Firewall and Cisco Switch

1.About Inter-VLAN

Inter-VLAN is the most efficient established method by providing a single trunk link between the Switch and the Router that can carry traffic of multiple VLANs and where that traffic can in turn be routed by Router.

With Inter-VLAN Routing, the router receives a frame from the switch with the packet coming from a tagged VLAN. It associates frames with the appropriate subinterfaces and then decodes the contents of the frame (the IP packet portion). The router then performs a Layer 3 function based on the destination network address contained in the IP packet to determine the subinterface to forward the IP packet. The IP packets are now encapsulated in dot1Q (or ISL) frames to identify the VLAN of the forwarding subinterface and travel over the trunk to the switch.

2.Diagram

Details:

We will have the following devices:

  • Palo Alto Firewall is a device used to set up access policy, allocate DHCP, VLAN.
  • Switch Core is a device used to distribute IPs and VLANs down to computers.
  • 3 devices named PC1, PC2, PC3 running Windows 7.

3.Scenario

We will configure the Subinterface, DHCP,Virtual Routers, the policy to allow communication between VLANs on the Palo Alto Firewall device and the Switch so that when the connected computers will receive the correct IP from the VLAN according to the network diagram.

4.What to do?

Palo Alto Firewall:

  • Create Address Object.
  • Create Subinterface.
  • Create DHCP for each Subinterface.
  • Create Virtual Router
  • Create Security Policy.

Switch:

  • Create VLANs and assign ports to VLANs.
  • Implement trunk port.

Result.

5.Configuration

5.1.Palo Alto Firewall

5.1.1.Create Address Objects

We will perform the definition of the subnets of each VLAN by creating an Address Object.

To create, go to Object > Addresses > click Add.

Create an Address Object for subnet 10,145.41.0/24 of VLAN 10 with the following parameters:

  • Name: VLAN10
  • Type: IP Netmask – 10.145.41.0/24
  • Click OK.

Similarly, we create Address Object for subnet 10.145.42.0/24 of VLAN 20 with the following parameters:

  • Name: VLAN20
  • Type: IP Netmask – 10.145.42.0/24
  • Click OK.

Similarly, we create Address Object for subnet 10.145.43.0/24 of VLAN 30 with the following parameters:

  • Name: VLAN30
  • Type: IP Netmask – 10.145.43.0/24
  • Click OK.

Click Commit and OK to save the configuration changes.

5.1.2.Create Subinterface.

As the network diagram we have 3 VLANs 10,20,30 so we will need to create 3 Subinterfaces and set the IP for it according to the network diagram.

On the Palo Alto firewall device, to create Subinterfaces on a physical port we need to set the IP for that physical port first.

So according to the diagram we will set IP 10.145.40.254/24 for ethernet1/2 port.

To set it up, go to Network > Interfaces > Ethernet > left-click on the name of the ethernet1/2 interface and configure it as follows.

Tab Config:

  • Interface type: Layer3
  • Security Zone: LAN

Tab IPv4:

  • Type: Static
  • Click Add and enter IP 10.145.40.254/24 according to the network diagram.
  • Click OK.

To create a Subinterface for VLAN 10 on the ethernet1/2 port, go to Network > Interfaces > Ethernet > left-click the line containing the ethernet1/2 port and click Add Subinterface:

Tab Config:

  • Interface Name: ethernet1/2.10
  • Tag: 10
  • Security Zone: LAN
  • Click OK

Tab IPv4:

  • Type: Static
  • Click Add and enter IP 10.145.41.254/24 according to the network diagram.
  • Nhấn OK

Similarly, we also create Subinterface for VLAN 20 with the following parameters:

Tab Config:

  • Interface Name: ethernet1/2.20
  • Tag: 20
  • Security Zone: LAN
  • Click OK

Tab IPv4:

  • Type: Static
  • Click Add and enter IP 10.145.42.254/24 according to the network diagram.
  • Nhấn OK

Similarly, we also create Subinterface for VLAN 30 with the following parameters:

Tab Config:

  • Interface Name: ethernet1/2.30
  • Tag: 30
  • Security Zone: LAN
  • Click OK

Tab IPv4:

  • Type: Static
  • Click Add and enter the IP 10.145.43.254/24 according to the network diagram.
  • Click OK

Click Commit and OK to save the configuration changes.

5.1.3.Create DHCP for each Subinterface

Next we need to create DHCP so that when the computers connect to it, they will automatically receive the IP.

To create DHCP go to Network > DHCP > DHCP Server > Add.

Create DHCP for Subinterface ethernet1/2.10 with the following parameters:

Tab Lease:

  • Interface: ethernet1/2.10
  • Mode: enabled
  • IP POOLS: Click Add and enter the IP range that will be allocated 10.145.41.1 – 10.145.41.10

Tab Options:

  • Gateway: Enter IP of Subinterface ethernet1/2.10 port 10.145.41.254/24.
  • Subnet Mask: 255.255.255.0.
  • Click OK.

Similarly we create DHCP for Subinterface ethernet1/2.20 according to the following parameters:

Tab Lease:

  • Interface: ethernet1/2.20
  • Mode: enabled
  • IP POOLS: Click Add and enter the IP range that will be allocated 10.145.42.1 – 10.145.42.10

Tab Options:

  • Gateway: Enter the IP of the ethernet Subinterface1/2.20 port as 10.145.42.254/24.
  • Subnet Mask: 255.255.255.0.
  • Click OK.

Similarly we create DHCP for Subinterface ethernet1/2.30 according to the following parameters:

Tab Lease:

  • Interface: ethernet1/2.30
  • Mode: enabled
  • IP POOLS: Click Add and enter the IP range that will be allocated 10.145.43.1 – 10.145.43.10

Tab Options:

  • Gateway: enter IP of Subinterface ethernet1/2.30 port as 10.145.43.3254/24.
  • Subnet Mask: 255.255.255.0.
  • Click OK.

Click Commit and OK to save the configuration changes.

5.1.4.Create Virtual Router

To create Virtual Router we go to Network> Virtual Routers> click Add.

Create a Virtual Router with the following parameters:

  • Name: VR1
  • At the INTERFACES panel, click Add and add 3 Subinterfaces: ethernet1/2.10, ethernet1/2.20 and ethenet1/2.30.
  • Click OK.

5.1.5.Create Security Policy

In order for computers of different interfaces to communicate with each other, we need to create a policy that allows this to happen.

To create, go to Policies > Security > click Add and create with the following parameters.

5.2.Switch

5.2.1.Create VLANs and assign ports to VLANs

We will create VLAN 10, 20, 30 and assign the ports to the correct VLAN according to the network diagram.

Create VLAN 10 and assign port Gi0/1 with the following command.

Switch(config)#vlan 10

Switch(config-vlan)#exit

Switch(config)#interface gigabitEthernet 0/1

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 10

Switch(config-if)#no shutdown

Similar to creating VLAN 10 and assigning port Gi0/2 with the following command.

Switch(config)#vlan 20

Switch(config-vlan)#interface gigabitEthernet 0/2

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 20

Switch(config-if)#no shutdown

Similarly create VLAN 30 and assign port Gi0/3 with the following command.

Switch(config)#vlan 30

Switch(config-vlan)#exit

Switch(config)#interface gigabitEthernet 0/3

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 30

Switch(config-if)#no shutdown

5.2.2.Implement trunk port

We will configure trunk for Gi0/0 port with the following command.

Switch(config)#interface gigabitEthernet 0/0

Switch(config-if)#switchport trunk encapsulation dot1Q

Switch(config-if)#switchport mode trunk

Switch(config-if)#no shutdown

5.3.Result.

PC 1 received the IP from the DHCP Pool of VLAN 10.

Similarly, PC 2 and PC 3 also receive IPs from the DHCP Pool of VLAN 20 and VLAN 30.

We will test the communication between VLANs by pinging between computers PC 1, PC 2 and PC 3.

Ping result from PC 3 to PC 2.

Ping result from PC 1 to PC 2.

Ping result from PC 1 to PC 3.

The results show that computers in different VLANs can communicate with each other.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.