Layer 2 Networking
Tech Note
Overview
PAN-OS is very flexible, allowing administrators to mix and match physical firewall interfaces amongst virtual wire, layer 2, layer 3, and tap mode configurations. This document explains PAN-OS layer 2 and VLAN concepts, showing examples of connecting a VLAN with Layer 2 interfaces to a Layer 3 interface for connectivity off of the VLAN network.
VLANs
While physical interfaces can be configured as Layer 2 interfaces, a single Layer 2 interface by itself is not very interesting. Usually, at least two Layer 2 interfaces are assigned to the same VLAN, enabling connectivity between the two ports.
The diagram to the right shows a very simple VLAN, with both Ethernet interfaces assigned to the same security zone.
This simple network is unable to connect to other networks through the PA-series firewall, as there is no connectivity between the VLAN (dmz-vlan) and any Layer 3 interfaces.
For devices on our simple VLAN to access other networks, there must exist either a router elsewhere on the VLAN, or the PA-series firewall must also be configured to allow connectivity from the VLAN to other networks on the firewall.
Creating VLANs
At a minimum, a Layer 2 interface must be in a VLAN to pass traffic.
To create a VLAN, navigate to Network → Interface. The VLAN can be created either from the menu on the left under VLAN (as in the screenshot to the right) or by selecting or creating a Layer 2 interface and following the options to associate or create a VLAN from the Layer 2 interface configuration.
Once New has been selected to create a new VLAN, a configuration screen like below will appear. Give the VLAN a name, select any already defined Layer 2 interface to add to the VLAN, select a VLAN interface is one has already been defined, and check the box if Layer 3 forwarding will be used.
VLAN Interfaces
To configure connectivity on the PA-series firewall between the VLAN and other networks, a VLAN interface must be created. This is not a physical interface. It is a construct used to add a Layer 3-type interface to a Layer 2 VLAN. VLAN interfaces operate at Layer 3, not Layer 2. As such, the VLAN interface will have a different zone than the physical Layer 2 interfaces.
A default VLAN interface exists, called ‘vlan’. Any new VLAN interfaces created will be named vlan.X, where X is an integer greater than zero.
The default VLAN interface, as seen in the screenshot below named ‘vlan’, cannot be used until it has been assigned to a Virtual Router, assigned to a VLAN, and placed in a Security Zone. The error message below appears when the warning sign to the left of the ‘vlan’ interface is selected.
Creating a VLAN Interface
To create a new VLAN interface, in Network → Interfaces, select New at the bottom of the window. Select VLAN Interface, as in the screenshot below.
As in the screenshot below, configure the VLAN interface by: • completing the VLAN interface name
• add in an IP address to serve as a gateway address for other devices on the VLAN • assign the interface to a
• virtual router • VLAN
• Layer 3 zone
Once created, the VLAN appears in the list of interfaces in the web management GUI under Network → Interfaces.
Our simple network will look like the diagram to the right once the VLAN interface has been added.
VLAN Routing
PA-series firewalls enable connectivity between Layer 2 interfaces and Layer 3 interfaces with the use of a VLAN interface and Virtual Router.
A VLAN interface must be created and assigned to the same VLAN as the Layer 2 interfaces that require connectivity. In the graphic to the right, the vlan.1 VLAN interface is assigned to the dmz-vlan VLAN. VLAN interfaces are assigned to a different zone than the Layer 2 interfaces, as a VLAN interface can only use Layer 3 security zones. In the case below, the VLAN interface has been assigned to the DMZ-L3 zone.
A default route exists for the devices on the VLAN to forward network traffic to once a VLAN interface exists on the VLAN, has an IP address, and has been attached to a Virtual Router.
Adding a Virtual Router and attaching the VLAN interface to it allows the VLAN to interoperate with other networks. The graphic above shows the Virtual Router VR1.
Creating A Virtual Router
To create a Virtual Router, navigate to Network → Interface. The Virtual Router can be created either from the menu on the left under Virtual Router or by selecting or creating a Layer 3 interface and following the options to associate or create a Virtual Router from the Layer 3 interface configuration.
Once New has been selected to create a new Virtual Router, a configuration screen like the one to the left will appear. Give the Virtual Router a name and select any already defined Layer 3 or VLAN interfaces to add them to the Virtual Router. Optionally, fill in any extra routing information.
Security Zones
One of the unique characteristics of traffic flowing through a Layer 2 interfaces is that the traffic can have a different security zone apply - either the traffic stays on the same VLAN, where the Layer 2 zone applies, or the traffic leaves the VLAN and the Layer 3 zone applies.
In fact, as the diagram below shows, Layer 2 interfaces can be setup with no Layer 2 security zones defined; a single Layer 2 security zone for an entire VLAN; or multiple Layer 2 security zones within the same VLAN.
While it is possible to define a Layer 2 VLAN network without any Layer 2 Zones, no traffic will flow between the Layer 2 interfaces on the same VLAN. The only reachable host from the Layer 2 interface will be the VLAN interface, enabling connectivity to other networks.
Single versus Multiple Layer 2 Zones
Typically, writing policy between two hosts on the same network is the driving force behind Layer 2 interface creation. In the example used so far, a DMZ network exists with both a webserver and a mail server. They can be in the same or different Layer 2 zone - as long as the servers connect through different physical interfaces, policy can be written to control communication between the two servers.
Using multiple zones on the same VLAN enables clear policy rules. However, keep in mind the different implicit rules that go into effect when writing rules where the source and destination zone are the same versus when the source and destination zone are different. The table below summarizes the differences between the number of Layer 2 zones used.
Source and Destination L2 Zone
Implicit Trailing Rule Use Case
No Layer 2 zone exists
Not applicable, as no traffic passes between Layer 2 interfaces on the same VLAN
VLAN where individual hosts have no connectivity to each other
Same
Allow VLAN with a handful of denied traffic between hosts
Different
Deny VLAN with a handful of allowed traffic between hosts
Traffic within the same VLAN and same Layer 2 security zone is allowed by default, whereas traffic between Layer 2 zones on the same VLAN is denied.
The following security rules include the implicit trailing rule in italics to show that the rule will be in effect. This action is always present in the rulebase. If no other rules are matched for traffic, the implicit rule will match. Keep in mind that this implicit rule is not visible in the management interface.
If no Layer 2 security zone exists, no security rules can be written for for traffic between hosts on the VLAN.
As an example, the security rules below show the two different ways to write rules with either one or two Layer 2 security zones. A webserver can send email out via SMTP through the Mail Server. No other communication is allowed between the two servers.
When the servers are in the same Layer 2 DMZ Zone - Ⓑ in the diagram on the previous page - the rule must specify the IP addresses in question AND include a deny rule to block all other traffic.
Security Rule - Policy within a single VLAN, single zone Security Rule - Policy within a single VLAN, single zone Security Rule - Policy within a single VLAN, single zone Security Rule - Policy within a single VLAN, single zone Security Rule - Policy within a single VLAN, single zone Security Rule - Policy within a single VLAN, single zone Security Rule - Policy within a single VLAN, single zone
Comment Source Zone Destination Zone Source Addr. Destination Addr Application Action Webserver sends email
DMZ DMZ 192.168.1.2 192.168.1.3 SMTP Allow
Deny all other intra-zone DMZ traffic
DMZ DMZ any any any Deny
implicit, DMZ intra-zone rule
However, realizing the different security postures of the two interfaces and the required communication between the Layer 2 interfaces, the rule below can be used. It is no longer necessary to enumerate specific hosts and addresses for intra-VLAN traffic, nor is a rule required to block all other traffic, as the implicit rule does this already.
Security Rule - Policy within a single VLAN, multiple zones Security Rule - Policy within a single VLAN, multiple zones Security Rule - Policy within a single VLAN, multiple zones Security Rule - Policy within a single VLAN, multiple zones Security Rule - Policy within a single VLAN, multiple zones Security Rule - Policy within a single VLAN, multiple zones Security Rule - Policy within a single VLAN, multiple zones
Comment Source Zone Destination
Zone
Source Addr.
Destination Addr
Application Action
Webserver sends email
DMZ-Web DMZ-Mail any any SMTP Allow
implicit rule DMZ-Web DMZ-Mail any any any Deny
Interface Types
Policy rules always specify source and destination zones of the same type. Rules specifying Layer 2 zones only pass packets within the same VLAN. Rules specifying Layer 3 zones pass packets between networks.
Neither Virtual Wire nor Layer 2 interfaces support NAT. Layer 3 interfaces - physical or virtual - must be used to facilitate NAT.
When traffic originates from or terminates to a Layer 2 interface, policy rules will include the Layer 2 zone when the communication is intra-VLAN traffic. If the communication is between
another network, the Layer 3 zone for the Virtual VLAN interface on the same VLAN is used.
Interface Zone Type NAT Support
Tap Tap No
VWire VWire No
Layer 2 Layer 2 No
Layer 3
Layer 3 Yes
VLAN Layer 3 Yes
In the diagram at the top of the next page, the dotted line marked with a ① represents a connection that originates on a Layer 2 interface, but since the destination is not in the VLAN, the source zone is the first Layer 3 zone the packet passes through. In this case, the source zone will be the DMZ-L3 zone and the destination zone is the Untrust zone.
Putting It All Together
To enable connectivity to the Internet in the example used so far, assign the Layer 3 interface (connected to the upstream network towards the Internet) to the Virtual Router. Finally, add NAT rules to for inbound and outbound communication.
NAT Rules
The NAT rules below enable static NAT for inbound web and mail traffic, along with outbound static NAT for outbound mail. Notice the use of the DMZ-L3 zone instead of the DMZ-Mail Layer 2 zone. Since the mail connections will traverse layer 3 networks, Layer 3 zones are used.
NAT Rules NAT Rules NAT Rules NAT Rules NAT Rules NAT Rules NAT Rules NAT Rules
Comment Source
Zone
Dest. Zone
Source Addr
Dest. Addr Service Translated
Source
Translated Dest
Outbound mail relaying
DMZ-L3 Untrust 192.168.1.3 Any SMTP 128.61.255.3 None
Inbound SMTP
Untrust Untrust Any 128.62.255.3 SMTP Any 192.168.1.3
Inbound Web
Security Rules
As with the NAT rules, the Layer 3 zone DMZ-L3 is used instead of the Layer 2 zones.
Security Rule Security Rule Security Rule Security Rule Security Rule Security Rule Security Rule Security Rule
Comment Source
Zone
Dest. Zone
Source Addr
Dest. Addr Application Service Action
Allow outbound mail relaying
DMZ-L3 Untrust 192.168.1.3 Any SMTP application -default
Allow
Allow inbound mail
Untrust DMZ-L3 Any 128.62.255.3 SMTP application -default
Allow
Allow inbound web
Untrust DMZ-L3 Any 128.62.255.2 W e b -browsing
application -default
Allow
Layer 2 Networking Checklist
As a reminder, the following items will need to be checked or configured to enable Layer 2 interfaces to connect to other networks in addition to any other required PAN-OS configuration. Define:
• at least two Layer 2 interfaces
• at least one Layer 2 Security Zone (for any intra-VLAN traffic) • a VLAN
• a VLAN interface • a Virtual Router
• at least one Layer 3 interface Attach:
• the Layer 2 interfaces and the VLAN interface to the VLAN
• the VLAN interface and the Layer 3 interface to the Virtual Router
Key Points to Remember
• Layer 2 interfaces must be added to a VLAN to pass traffic
• No VLANs exist by default. At least one must be created if any Layer 2 interfaces are used • A Layer 2 zone is only required for a Layer 2 interface if intra-VLAN traffic is needed • Layer 2 zones are only used for intra-VLAN communication
• Layer 3 zones are used for communication between networks • A default VLAN interface exists, called ‘vlan’
• A VLAN interface must be attached to a VLAN to allow connectivity to other networks
• No Virtual Routers exist by default. One must be created to connect a Layer 2 VLAN to other networks
• The default implicit action is Allow when source and destination are in the same zone • The default implicit action is Deny when source and destination are in different zones
