Layer 2 Networking. Overview. VLANs. Tech Note

Transcription

1 Layer 2 Networking Tech Note Overview PAN-OS is very flexible, allowing administrators to mix and match physical firewall interfaces amongst virtual wire, layer 2, layer 3, and tap mode configurations. This document explains PAN-OS layer 2 and VLAN concepts, showing examples of connecting a VLAN with Layer 2 interfaces to a Layer 3 interface for connectivity off of the VLAN network. VLANs While physical interfaces can be configured as Layer 2 interfaces, a single Layer 2 interface by itself is not very interesting. Usually, at least two Layer 2 interfaces are assigned to the same VLAN, enabling connectivity between the two ports. The diagram to the right shows a very simple VLAN, with both Ethernet interfaces assigned to the same security zone. This simple network is unable to connect to other networks through the PA-series firewall, as there is no connectivity between the VLAN (dmzvlan) and any Layer 3 interfaces. For devices on our simple VLAN to access other networks, there must exist either a router elsewhere on the VLAN, or the PA-series firewall must also be configured to allow connectivity from the VLAN to other networks on the firewall. Layer 2 Networking Tech Note rev00a 3/09 1

2 Creating VLANs At a minimum, a Layer 2 interface must be in a VLAN to pass traffic. To create a VLAN, navigate to Network Interface. The VLAN can be created either from the menu on the left under VLAN (as in the screenshot to the right) or by selecting or creating a Layer 2 interface and following the options to associate or create a VLAN from the Layer 2 interface configuration. Once New has been selected to create a new VLAN, a configuration screen like below will appear. Give the VLAN a name, select any already defined Layer 2 interface to add to the VLAN, select a VLAN interface is one has already been defined, and check the box if Layer 3 forwarding will be used. Layer 2 Networking Tech Note rev00a 3/09 2

3 VLAN Interfaces To configure connectivity on the PA-series firewall between the VLAN and other networks, a VLAN interface must be created. This is not a physical interface. It is a construct used to add a Layer 3-type interface to a Layer 2 VLAN. VLAN interfaces operate at Layer 3, not Layer 2. As such, the VLAN interface will have a different zone than the physical Layer 2 interfaces. A default VLAN interface exists, called vlan. Any new VLAN interfaces created will be named vlan.x, where X is an integer greater than zero. The default VLAN interface, as seen in the screenshot below named vlan, cannot be used until it has been assigned to a Virtual Router, assigned to a VLAN, and placed in a Security. The error message below appears when the warning sign to the left of the vlan interface is selected. Creating a VLAN Interface To create a new VLAN interface, in Network Interfaces, select New at the bottom of the window. Select VLAN Interface, as in the screenshot below. Layer 2 Networking Tech Note rev00a 3/09 3

4 As in the screenshot below, configure the VLAN interface by: completing the VLAN interface name add in an IP address to serve as a gateway address for other devices on the VLAN assign the interface to a virtual router VLAN Layer 3 zone Once created, the VLAN appears in the list of interfaces in the web management GUI under Network Interfaces. Our simple network will look like the diagram to the right once the VLAN interface has been added. Layer 2 Networking Tech Note rev00a 3/09 4

5 VLAN Routing PA-series firewalls enable connectivity between Layer 2 interfaces and Layer 3 interfaces with the use of a VLAN interface and Virtual Router. A VLAN interface must be created and assigned to the same VLAN as the Layer 2 interfaces that require connectivity. In the graphic to the right, the vlan.1 VLAN interface is assigned to the dmz-vlan VLAN. VLAN interfaces are assigned to a different zone than the Layer 2 interfaces, as a VLAN interface can only use Layer 3 security zones. In the case below, the VLAN interface has been assigned to the DMZ-L3 zone. A default route exists for the devices on the VLAN to forward network traffic to once a VLAN interface exists on the VLAN, has an IP address, and has been attached to a Virtual Router. Adding a Virtual Router and attaching the VLAN interface to it allows the VLAN to interoperate with other networks. The graphic above shows the Virtual Router VR1. Creating A Virtual Router To create a Virtual Router, navigate to Network Interface. The Virtual Router can be created either from the menu on the left under Virtual Router or by selecting or creating a Layer 3 interface and following the options to associate or create a Virtual Router from the Layer 3 interface configuration. Once New has been selected to create a new Virtual Router, a configuration screen like the one to the left will appear. Give the Virtual Router a name and select any already defined Layer 3 or VLAN interfaces to add them to the Virtual Router. Optionally, fill in any extra routing information. Layer 2 Networking Tech Note rev00a 3/09 5

6 Security s One of the unique characteristics of traffic flowing through a Layer 2 interfaces is that the traffic can have a different security zone apply - either the traffic stays on the same VLAN, where the Layer 2 zone applies, or the traffic leaves the VLAN and the Layer 3 zone applies. In fact, as the diagram below shows, Layer 2 interfaces can be setup with no Layer 2 security zones defined; a single Layer 2 security zone for an entire VLAN; or multiple Layer 2 security zones within the same VLAN. While it is possible to define a Layer 2 VLAN network without any Layer 2 s, no traffic will flow between the Layer 2 interfaces on the same VLAN. The only reachable host from the Layer 2 interface will be the VLAN interface, enabling connectivity to other networks. Single versus Multiple Layer 2 s Typically, writing policy between two hosts on the same network is the driving force behind Layer 2 interface creation. In the example used so far, a DMZ network exists with both a webserver and a mail server. They can be in the same or different Layer 2 zone - as long as the servers connect through different physical interfaces, policy can be written to control communication between the two servers. Layer 2 Networking Tech Note rev00a 3/09 6

7 Using multiple zones on the same VLAN enables clear policy rules. However, keep in mind the different implicit rules that go into effect when writing rules where the source and destination zone are the same versus when the source and destination zone are different. The table below summarizes the differences between the number of Layer 2 zones used. and Destination L2 No Layer 2 zone exists Same Different Implicit Trailing Rule Not applicable, as no traffic passes between Layer 2 interfaces on the same VLAN Deny Use Case VLAN where individual hosts have no connectivity to each other VLAN with a handful of denied traffic between hosts VLAN with a handful of allowed traffic between hosts Traffic within the same VLAN and same Layer 2 security zone is allowed by default, whereas traffic between Layer 2 zones on the same VLAN is denied. The following security rules include the implicit trailing rule in italics to show that the rule will be in effect. This action is always present in the rulebase. If no other rules are matched for traffic, the implicit rule will match. Keep in mind that this implicit rule is not visible in the management interface. If no Layer 2 security zone exists, no security rules can be written for for traffic between hosts on the VLAN. As an example, the security rules below show the two different ways to write rules with either one or two Layer 2 security zones. A webserver can send out via SMTP through the Mail Server. No other communication is allowed between the two servers. When the servers are in the same Layer 2 DMZ - in the diagram on the previous page - the rule must specify the IP addresses in question AND include a deny rule to block all other traffic. Security Rule - Policy within a single VLAN, single zone Comment Destination Addr. Destination Addr Application Action Webserver sends Deny all other intrazone DMZ traffic implicit, DMZ intrazone rule DMZ DMZ SMTP DMZ DMZ any any any Deny DMZ DMZ any any any Layer 2 Networking Tech Note rev00a 3/09 7

8 However, realizing the different security postures of the two interfaces and the required communication between the Layer 2 interfaces, the rule below can be used. It is no longer necessary to enumerate specific hosts and addresses for intra-vlan traffic, nor is a rule required to block all other traffic, as the implicit rule does this already. Security Rule - Policy within a single VLAN, multiple zones Comment Destination Addr. Destination Addr Application Action Webserver sends DMZ-Web DMZ-Mail any any SMTP implicit rule DMZ-Web DMZ-Mail any any any Deny Interface Types Policy rules always specify source and destination zones of the same type. Rules specifying Layer 2 zones only pass packets within the same VLAN. Rules specifying Layer 3 zones pass packets between networks. Neither Virtual Wire nor Layer 2 interfaces support NAT. Layer 3 interfaces - physical or virtual - must be used to facilitate NAT. When traffic originates from or terminates to a Layer 2 interface, policy rules will include the Layer 2 zone when the communication is intra-vlan traffic. If the communication is between another network, the Layer 3 zone for the Virtual VLAN interface on the same VLAN is used. Interface Type NAT Support Tap Tap No VWire VWire No Layer 2 Layer 2 No Layer 3 VLAN Layer 3 Yes In the diagram at the top of the next page, the dotted line marked with a represents a connection that originates on a Layer 2 interface, but since the destination is not in the VLAN, the source zone is the first Layer 3 zone the packet passes through. In this case, the source zone will be the DMZ-L3 zone and the destination zone is the Untrust zone. Layer 2 Networking Tech Note rev00a 3/09 8

9 Putting It All Together To enable connectivity to the Internet in the example used so far, assign the Layer 3 interface (connected to the upstream network towards the Internet) to the Virtual Router. Finally, add NAT rules to for inbound and outbound communication. NAT Rules The NAT rules below enable static NAT for inbound web and mail traffic, along with outbound static NAT for outbound mail. Notice the use of the DMZ-L3 zone instead of the DMZ-Mail Layer 2 zone. Since the mail connections will traverse layer 3 networks, Layer 3 zones are used. NAT Rules Comment Dest. Addr Dest. Addr Service Translated Translated Dest Outbound mail relaying Inbound SMTP Inbound Web DMZ-L3 Untrust Any SMTP None Untrust Untrust Any SMTP Any Untrust Untrust Any HTTP Any Layer 2 Networking Tech Note rev00a 3/09 9

10 Security Rules As with the NAT rules, the Layer 3 zone DMZ-L3 is used instead of the Layer 2 zones. Security Rule Comment Dest. Addr Dest. Addr Application Service Action outbound mail relaying inbound mail DMZ-L3 Untrust Any SMTP application -default Untrust DMZ-L3 Any SMTP application -default inbound web Untrust DMZ-L3 Any W e b - browsing application -default The diagram below represents the final version of our Layer 2 and Layer 3 network. Layer 2 Networking Tech Note rev00a 3/09 10

11 Layer 2 Networking Checklist As a reminder, the following items will need to be checked or configured to enable Layer 2 interfaces to connect to other networks in addition to any other required PAN-OS configuration. Define: at least two Layer 2 interfaces at least one Layer 2 Security (for any intra-vlan traffic) a VLAN a VLAN interface a Virtual Router at least one Layer 3 interface Attach: the Layer 2 interfaces and the VLAN interface to the VLAN the VLAN interface and the Layer 3 interface to the Virtual Router Key Points to Remember Layer 2 interfaces must be added to a VLAN to pass traffic No VLANs exist by default. At least one must be created if any Layer 2 interfaces are used A Layer 2 zone is only required for a Layer 2 interface if intra-vlan traffic is needed Layer 2 zones are only used for intra-vlan communication Layer 3 zones are used for communication between networks A default VLAN interface exists, called vlan A VLAN interface must be attached to a VLAN to allow connectivity to other networks No Virtual Routers exist by default. One must be created to connect a Layer 2 VLAN to other networks The default implicit action is when source and destination are in the same zone The default implicit action is Deny when source and destination are in different zones Layer 2 Networking Tech Note rev00a 3/09 11