Layer 2 Networking. Overview. VLANs. Tech Note

Similar documents
This article describes a detailed configuration example that demonstrates how to configure Cyberoam to provide the access of internal resources.

How to set up Inbound Load Balance under Drop-in Mode

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Configuring PA Firewalls for a Layer 3 Deployment

Packet Filtering using the ADTRAN OS firewall has two fundamental parts:

Application Note. Stateful Firewall, IPS or IDS Load- Balancing

VMware vcloud Air Networking Guide

Document No. FO1101 Issue Date: Work Group: FibreOP Technical Team October 31, 2013 FINAL:

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Understanding and Configuring NAT Tech Note PAN-OS 4.1

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

CSCE 465 Computer & Network Security

Chapter 3 Security and Firewall Protection

This presentation describes the IBM Tivoli Monitoring 6.1 Firewall Implementation: KDE Gateway Component.

Deployment Guide AX Series for Palo Alto Networks Firewall Load Balancing

Configuring the Juniper NetScreen Firewall Security Policies to support Avaya IP Telephony Issue 1.0

Chapter 4 Customizing Your Network Settings

Polycom. RealPresence Ready Firewall Traversal Tips

Enabling NAT and Routing in DGW v2.0 June 6, 2012

Set Up a VM-Series Firewall on the Citrix SDX Server

Designing Networks with Palo Alto Networks Firewalls

Chapter 4 Customizing Your Network Settings

How to configure VLAN and route failover

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

This Technical Support Note shows the different options available in the Firewall menu of the ADTRAN OS Web GUI.

Installation of the On Site Server (OSS)

Technical Support Information

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Lab Configuring Access Policies and DMZ Settings

How to Open HTTP or HTTPS traffic to a webserver behind the NetVanta 2000 Series unit (Enhanced OS)

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

How To Block On A Network With A Group Control On A Router On A Linux Box On A Pc Or Ip Access Group On A Pnet 2 On A 2G Router On An Ip Access-Group On A Ip Ip-Control On A Net

How To Connect Xbox 360 Game Consoles to the Router by Ethernet cable (RJ45)?

Configuring Network Address Translation (NAT)

Policy Based Forwarding

RAP Installation - Updated

Security Technology: Firewalls and VPNs

Load Balancing ContentKeeper With RadWare

- Introduction to Firewalls -

Cisco Secure PIX Firewall with Two Routers Configuration Example

Chapter 15. Firewalls, IDS and IPS

Palo Alto Networks User-ID Services. Unified Visitor Management

nexvortex Setup Template

Transparent Firewall/Filtering Bridge - pfsense By William Tarrh

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

LifeSize Transit Deployment Guide June 2011

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Load Balance Mechanism

How Your Computer Accesses the Internet through your Wi-Fi for Boats Router

How To Create A Virtual Private Cloud In A Lab On Ec2 (Vpn)

Using VDOMs to host two FortiOS instances on a single FortiGate unit

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Vocia MS-1 Network Considerations for VoIP. Vocia MS-1 and Network Port Configuration. VoIP Network Switch. Control Network Switch

Serial Deployment Quick Start Guide

Firewall Defaults and Some Basic Rules

UIP1868P User Interface Guide

Barracuda Link Balancer

F-Secure Messaging Security Gateway. Deployment Guide

IP Filtering for Patton RAS Products

Firewall Design Principles

Supporting Multiple Firewalled Subnets on SonicOS Enhanced

1 You will need the following items to get started:

Network Security Topologies. Chapter 11

Firewalls. Chapter 3

LinkProof DNS Quick Start Guide

Configuration Example

How to configure DNAT in order to publish internal services via Internet

Network Agent Quick Start

Chapter 5 Customizing Your Network Settings

Overview. Firewall Security. Perimeter Security Devices. Routers

Government of Canada Managed Security Service (GCMSS) Annex A-1: Statement of Work - Firewall

Broadband Phone Gateway BPG510 Technical Users Guide

How To Load Balance On A Libl Card On A S7503E With A Network Switch On A Server On A Network With A Pnet 2.5V2.5 (Vlan) On A Pbnet 2 (Vnet

Firewall. Vyatta System. REFERENCE GUIDE IPv4 Firewall IPv6 Firewall Zone Based Firewall VYATTA, INC.

How To Set Up A Pploe On A Pc Orca On A Ipad Orca (Networking) On A Macbook Orca 2.5 (Netware) On An Ipad 2.2 (Netrocessor

Customer Guide. BT Business - BT SIP Trunks. BT SIP Trunks: Firewall and LAN Guide. Issued by: BT Business Date Issue: v1.

Configuring a customer owned router to function as a switch with Ultra TV

Configuring DHCP Snooping

Com.X Router/Firewall Module. Use Cases. White Paper. Version 1.0, 21 May Far South Networks

A Model Design of Network Security for Private and Public Data Transmission

12. Firewalls Content

SonicWALL PCI 1.1 Implementation Guide

Firewall REFERENCE GUIDE. VYATTA, INC. Vyatta System. IPv4 Firewall IPv6 Firewall Zone-Based Firewall. Title

Fireware Essentials Exam Study Guide

Proxy Server, Network Address Translator, Firewall. Proxy Server

Security perimeter white paper. Configuring a security perimeter around JEP(S) with IIS SMTP

Firewall Firewall August, 2003

The PA-4000 Series can add visibility and control into your network for webmail applications to stop incoming threats and limit uploaded data.

White Paper Copyright 2011 Nomadix, Inc. All Rights Reserved. Thursday, January 05, 2012

Firewalls, IDS and IPS

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Configuring WAN Failover & Load-Balancing

Firewall and Router Policy

SSL-VPN 200 Getting Started Guide

7 6.2 Windows Vista / Windows IP Address Syntax Mobile Port Windows Vista / Windows Apply Rules To Your Device

PCI Compliance Report

Configuring the BIG-IP and Check Point VPN-1 /FireWall-1

Transcription:

Layer 2 Networking Tech Note Overview PAN-OS is very flexible, allowing administrators to mix and match physical firewall interfaces amongst virtual wire, layer 2, layer 3, and tap mode configurations. This document explains PAN-OS layer 2 and VLAN concepts, showing examples of connecting a VLAN with Layer 2 interfaces to a Layer 3 interface for connectivity off of the VLAN network. VLANs While physical interfaces can be configured as Layer 2 interfaces, a single Layer 2 interface by itself is not very interesting. Usually, at least two Layer 2 interfaces are assigned to the same VLAN, enabling connectivity between the two ports. The diagram to the right shows a very simple VLAN, with both Ethernet interfaces assigned to the same security zone. This simple network is unable to connect to other networks through the PA-series firewall, as there is no connectivity between the VLAN (dmzvlan) and any Layer 3 interfaces. For devices on our simple VLAN to access other networks, there must exist either a router elsewhere on the VLAN, or the PA-series firewall must also be configured to allow connectivity from the VLAN to other networks on the firewall. Layer 2 Networking Tech Note rev00a 3/09 1

Creating VLANs At a minimum, a Layer 2 interface must be in a VLAN to pass traffic. To create a VLAN, navigate to Network Interface. The VLAN can be created either from the menu on the left under VLAN (as in the screenshot to the right) or by selecting or creating a Layer 2 interface and following the options to associate or create a VLAN from the Layer 2 interface configuration. Once New has been selected to create a new VLAN, a configuration screen like below will appear. Give the VLAN a name, select any already defined Layer 2 interface to add to the VLAN, select a VLAN interface is one has already been defined, and check the box if Layer 3 forwarding will be used. Layer 2 Networking Tech Note rev00a 3/09 2

VLAN Interfaces To configure connectivity on the PA-series firewall between the VLAN and other networks, a VLAN interface must be created. This is not a physical interface. It is a construct used to add a Layer 3-type interface to a Layer 2 VLAN. VLAN interfaces operate at Layer 3, not Layer 2. As such, the VLAN interface will have a different zone than the physical Layer 2 interfaces. A default VLAN interface exists, called vlan. Any new VLAN interfaces created will be named vlan.x, where X is an integer greater than zero. The default VLAN interface, as seen in the screenshot below named vlan, cannot be used until it has been assigned to a Virtual Router, assigned to a VLAN, and placed in a Security. The error message below appears when the warning sign to the left of the vlan interface is selected. Creating a VLAN Interface To create a new VLAN interface, in Network Interfaces, select New at the bottom of the window. Select VLAN Interface, as in the screenshot below. Layer 2 Networking Tech Note rev00a 3/09 3

As in the screenshot below, configure the VLAN interface by: completing the VLAN interface name add in an IP address to serve as a gateway address for other devices on the VLAN assign the interface to a virtual router VLAN Layer 3 zone Once created, the VLAN appears in the list of interfaces in the web management GUI under Network Interfaces. Our simple network will look like the diagram to the right once the VLAN interface has been added. Layer 2 Networking Tech Note rev00a 3/09 4

VLAN Routing PA-series firewalls enable connectivity between Layer 2 interfaces and Layer 3 interfaces with the use of a VLAN interface and Virtual Router. A VLAN interface must be created and assigned to the same VLAN as the Layer 2 interfaces that require connectivity. In the graphic to the right, the vlan.1 VLAN interface is assigned to the dmz-vlan VLAN. VLAN interfaces are assigned to a different zone than the Layer 2 interfaces, as a VLAN interface can only use Layer 3 security zones. In the case below, the VLAN interface has been assigned to the DMZ-L3 zone. A default route exists for the devices on the VLAN to forward network traffic to once a VLAN interface exists on the VLAN, has an IP address, and has been attached to a Virtual Router. Adding a Virtual Router and attaching the VLAN interface to it allows the VLAN to interoperate with other networks. The graphic above shows the Virtual Router VR1. Creating A Virtual Router To create a Virtual Router, navigate to Network Interface. The Virtual Router can be created either from the menu on the left under Virtual Router or by selecting or creating a Layer 3 interface and following the options to associate or create a Virtual Router from the Layer 3 interface configuration. Once New has been selected to create a new Virtual Router, a configuration screen like the one to the left will appear. Give the Virtual Router a name and select any already defined Layer 3 or VLAN interfaces to add them to the Virtual Router. Optionally, fill in any extra routing information. Layer 2 Networking Tech Note rev00a 3/09 5

Security s One of the unique characteristics of traffic flowing through a Layer 2 interfaces is that the traffic can have a different security zone apply - either the traffic stays on the same VLAN, where the Layer 2 zone applies, or the traffic leaves the VLAN and the Layer 3 zone applies. In fact, as the diagram below shows, Layer 2 interfaces can be setup with no Layer 2 security zones defined; a single Layer 2 security zone for an entire VLAN; or multiple Layer 2 security zones within the same VLAN. While it is possible to define a Layer 2 VLAN network without any Layer 2 s, no traffic will flow between the Layer 2 interfaces on the same VLAN. The only reachable host from the Layer 2 interface will be the VLAN interface, enabling connectivity to other networks. Single versus Multiple Layer 2 s Typically, writing policy between two hosts on the same network is the driving force behind Layer 2 interface creation. In the example used so far, a DMZ network exists with both a webserver and a mail server. They can be in the same or different Layer 2 zone - as long as the servers connect through different physical interfaces, policy can be written to control communication between the two servers. Layer 2 Networking Tech Note rev00a 3/09 6

Using multiple zones on the same VLAN enables clear policy rules. However, keep in mind the different implicit rules that go into effect when writing rules where the source and destination zone are the same versus when the source and destination zone are different. The table below summarizes the differences between the number of Layer 2 zones used. and Destination L2 No Layer 2 zone exists Same Different Implicit Trailing Rule Not applicable, as no traffic passes between Layer 2 interfaces on the same VLAN Deny Use Case VLAN where individual hosts have no connectivity to each other VLAN with a handful of denied traffic between hosts VLAN with a handful of allowed traffic between hosts Traffic within the same VLAN and same Layer 2 security zone is allowed by default, whereas traffic between Layer 2 zones on the same VLAN is denied. The following security rules include the implicit trailing rule in italics to show that the rule will be in effect. This action is always present in the rulebase. If no other rules are matched for traffic, the implicit rule will match. Keep in mind that this implicit rule is not visible in the management interface. If no Layer 2 security zone exists, no security rules can be written for for traffic between hosts on the VLAN. As an example, the security rules below show the two different ways to write rules with either one or two Layer 2 security zones. A webserver can send email out via SMTP through the Mail Server. No other communication is allowed between the two servers. When the servers are in the same Layer 2 DMZ - in the diagram on the previous page - the rule must specify the IP addresses in question AND include a deny rule to block all other traffic. Security Rule - Policy within a single VLAN, single zone Comment Destination Addr. Destination Addr Application Action Webserver sends email Deny all other intrazone DMZ traffic implicit, DMZ intrazone rule DMZ DMZ 192.168.1.2 192.168.1.3 SMTP DMZ DMZ any any any Deny DMZ DMZ any any any Layer 2 Networking Tech Note rev00a 3/09 7

However, realizing the different security postures of the two interfaces and the required communication between the Layer 2 interfaces, the rule below can be used. It is no longer necessary to enumerate specific hosts and addresses for intra-vlan traffic, nor is a rule required to block all other traffic, as the implicit rule does this already. Security Rule - Policy within a single VLAN, multiple zones Comment Destination Addr. Destination Addr Application Action Webserver sends email DMZ-Web DMZ-Mail any any SMTP implicit rule DMZ-Web DMZ-Mail any any any Deny Interface Types Policy rules always specify source and destination zones of the same type. Rules specifying Layer 2 zones only pass packets within the same VLAN. Rules specifying Layer 3 zones pass packets between networks. Neither Virtual Wire nor Layer 2 interfaces support NAT. Layer 3 interfaces - physical or virtual - must be used to facilitate NAT. When traffic originates from or terminates to a Layer 2 interface, policy rules will include the Layer 2 zone when the communication is intra-vlan traffic. If the communication is between another network, the Layer 3 zone for the Virtual VLAN interface on the same VLAN is used. Interface Type NAT Support Tap Tap No VWire VWire No Layer 2 Layer 2 No Layer 3 VLAN Layer 3 Yes In the diagram at the top of the next page, the dotted line marked with a represents a connection that originates on a Layer 2 interface, but since the destination is not in the VLAN, the source zone is the first Layer 3 zone the packet passes through. In this case, the source zone will be the DMZ-L3 zone and the destination zone is the Untrust zone. Layer 2 Networking Tech Note rev00a 3/09 8

Putting It All Together To enable connectivity to the Internet in the example used so far, assign the Layer 3 interface (connected to the upstream network towards the Internet) to the Virtual Router. Finally, add NAT rules to for inbound and outbound communication. NAT Rules The NAT rules below enable static NAT for inbound web and mail traffic, along with outbound static NAT for outbound mail. Notice the use of the DMZ-L3 zone instead of the DMZ-Mail Layer 2 zone. Since the mail connections will traverse layer 3 networks, Layer 3 zones are used. NAT Rules Comment Dest. Addr Dest. Addr Service Translated Translated Dest Outbound mail relaying Inbound SMTP Inbound Web DMZ-L3 Untrust 192.168.1.3 Any SMTP 128.61.255.3 None Untrust Untrust Any 128.62.255.3 SMTP Any 192.168.1.3 Untrust Untrust Any 128.62.255.2 HTTP Any 192.168.1.2 Layer 2 Networking Tech Note rev00a 3/09 9

Security Rules As with the NAT rules, the Layer 3 zone DMZ-L3 is used instead of the Layer 2 zones. Security Rule Comment Dest. Addr Dest. Addr Application Service Action outbound mail relaying inbound mail DMZ-L3 Untrust 192.168.1.3 Any SMTP application -default Untrust DMZ-L3 Any 128.62.255.3 SMTP application -default inbound web Untrust DMZ-L3 Any 128.62.255.2 W e b - browsing application -default The diagram below represents the final version of our Layer 2 and Layer 3 network. Layer 2 Networking Tech Note rev00a 3/09 10

Layer 2 Networking Checklist As a reminder, the following items will need to be checked or configured to enable Layer 2 interfaces to connect to other networks in addition to any other required PAN-OS configuration. Define: at least two Layer 2 interfaces at least one Layer 2 Security (for any intra-vlan traffic) a VLAN a VLAN interface a Virtual Router at least one Layer 3 interface Attach: the Layer 2 interfaces and the VLAN interface to the VLAN the VLAN interface and the Layer 3 interface to the Virtual Router Key Points to Remember Layer 2 interfaces must be added to a VLAN to pass traffic No VLANs exist by default. At least one must be created if any Layer 2 interfaces are used A Layer 2 zone is only required for a Layer 2 interface if intra-vlan traffic is needed Layer 2 zones are only used for intra-vlan communication Layer 3 zones are used for communication between networks A default VLAN interface exists, called vlan A VLAN interface must be attached to a VLAN to allow connectivity to other networks No Virtual Routers exist by default. One must be created to connect a Layer 2 VLAN to other networks The default implicit action is when source and destination are in the same zone The default implicit action is Deny when source and destination are in different zones Layer 2 Networking Tech Note rev00a 3/09 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information