a

Layer 2 Networking
Tech Note

Overview
PAN-OS is very exible, allowing administrators to mix and match physical rewall interfaces amongst virtual wire, layer 2, layer 3, and tap mode congurations. This document explains PAN-OS layer 2 and VLAN concepts, showing examples of connecting a VLAN with Layer 2 interfaces to a Layer 3 interface for connectivity off of the VLAN network.

VLANs
While physical interfaces can be congured as Layer 2 interfaces, a single Layer 2 interface by itself is not very interesting. Usually, at least two Layer 2 interfaces are assigned to the same VLAN, enabling connectivity between the two ports. The diagram to the right shows a very simple VLAN, with both Ethernet interfaces assigned to the same security zone. This simple network is unable to connect to other networks through the PA-series rewall, as there is no connectivity between the VLAN (dmzvlan) and any Layer 3 interfaces. For devices on our simple VLAN to access other networks, there must exist either a router elsewhere on the VLAN, or the PA-series rewall must also be congured to allow connectivity from the VLAN to other networks on the rewall.

Layer 2 Networking Tech Note rev00A

3/09

Creating VLANs
At a minimum, a Layer 2 interface must be in a VLAN to pass trafc. To create a VLAN, navigate to Network Interface. The VLAN can be created either from the menu on the left under VLAN (as in the screenshot to the right) or by selecting or creating a Layer 2 interface and following the options to associate or create a VLAN from the Layer 2 interface conguration. Once New has been selected to create a new VLAN, a conguration screen like below will appear. Give the VLAN a name, select any already dened Layer 2 interface to add to the VLAN, select a VLAN interface is one has already been dened, and check the box if Layer 3 forwarding will be used.

Layer 2 Networking Tech Note rev00A

3/09

VLAN Interfaces
To congure connectivity on the PA-series rewall between the VLAN and other networks, a VLAN interface must be created. This is not a physical interface. It is a construct used to add a Layer 3-type interface to a Layer 2 VLAN. VLAN interfaces operate at Layer 3, not Layer 2. As such, the VLAN interface will have a different zone than the physical Layer 2 interfaces. A default VLAN interface exists, called vlan. Any new VLAN interfaces created will be named vlan.X, where X is an integer greater than zero. The default VLAN interface, as seen in the screenshot below named vlan, cannot be used until it has been assigned to a Virtual Router, assigned to a VLAN, and placed in a Security Zone. The error message below appears when the warning sign to the left of the vlan interface is selected.

Creating a VLAN Interface

To create a new VLAN interface, in Network Interfaces, select New at the bottom of the window. Select VLAN Interface, as in the screenshot below.

Layer 2 Networking Tech Note rev00A

3/09

As in the screenshot below, congure the VLAN interface by: completing the VLAN interface name add in an IP address to serve as a gateway address for other devices on the VLAN assign the interface to a virtual router VLAN Layer 3 zone

Once created, the VLAN appears in the list of interfaces in the web management GUI under Network Interfaces. Our simple network will look like the diagram to the right once the VLAN interface has been added.

Layer 2 Networking Tech Note rev00A

3/09

VLAN Routing
PA-series rewalls enable connectivity between Layer 2 interfaces and Layer 3 interfaces with the use of a VLAN interface and Virtual Router. A VLAN interface must be created and assigned to the same VLAN as the Layer 2 interfaces that require connectivity. In the graphic to the right, the vlan.1 VLAN interface is assigned to the dmz-vlan VLAN. VLAN interfaces are assigned to a different zone than the Layer 2 interfaces, as a VLAN interface can only use Layer 3 security zones. In the case below, the VLAN interface has been assigned to the DMZ-L3 zone. A default route exists for the devices on the VLAN to forward network trafc to once a VLAN interface exists on the VLAN, has an IP address, and has been attached to a Virtual Router. Adding a Virtual Router and attaching the VLAN interface to it allows the VLAN to interoperate with other networks. The graphic above shows the Virtual Router VR1.

Creating A Virtual Router

To create a Virtual Router, navigate to Network Interface. The Virtual Router can be created either from the menu on the left under Virtual Router or by selecting or creating a Layer 3 interface and following the options to associate or create a Virtual Router from the Layer 3 interface conguration. Once New has been selected to create a new Virtual Router, a conguration screen like the one to the left will appear. Give the Virtual Router a name and select any already dened Layer 3 or VLAN interfaces to add them to the Virtual Router. Optionally, ll in any extra routing information.

Layer 2 Networking Tech Note rev00A

3/09

Security Zones
One of the unique characteristics of trafc owing through a Layer 2 interfaces is that the trafc can have a different security zone apply - either the trafc stays on the same VLAN, where the Layer 2 zone applies, or the trafc leaves the VLAN and the Layer 3 zone applies. In fact, as the diagram below shows, Layer 2 interfaces can be setup with no Layer 2 security zones dened; a single Layer 2 security zone for an entire VLAN; or multiple Layer 2 security zones within the same VLAN.

While it is possible to dene a Layer 2 VLAN network without any Layer 2 Zones, no trafc will ow between the Layer 2 interfaces on the same VLAN. The only reachable host from the Layer 2 interface will be the VLAN interface, enabling connectivity to other networks.

Single versus Multiple Layer 2 Zones

Typically, writing policy between two hosts on the same network is the driving force behind Layer 2 interface creation. In the example used so far, a DMZ network exists with both a webserver and a mail server. They can be in the same or different Layer 2 zone - as long as the servers connect through different physical interfaces, policy can be written to control communication between the two servers.

Layer 2 Networking Tech Note rev00A

3/09

Using multiple zones on the same VLAN enables clear policy rules. However, keep in mind the different implicit rules that go into effect when writing rules where the source and destination zone are the same versus when the source and destination zone are different. The table below summarizes the differences between the number of Layer 2 zones used. Source and Destination L2 Zone No Layer 2 zone exists Same Different Implicit Trailing Rule Not applicable, as no trafc passes between Layer 2 interfaces on the same VLAN Allow Deny Use Case VLAN where individual hosts have no connectivity to each other VLAN with a handful of denied trafc between hosts VLAN with a handful of allowed trafc between hosts

Trafc within the same VLAN and same Layer 2 security zone is allowed by default, whereas trafc between Layer 2 zones on the same VLAN is denied. The following security rules include the implicit trailing rule in italics to show that the rule will be in effect. This action is always present in the rulebase. If no other rules are matched for trafc, the implicit rule will match. Keep in mind that this implicit rule is not visible in the management interface. If no Layer 2 security zone exists, no security rules can be written for for trafc between hosts on the VLAN. As an example, the security rules below show the two different ways to write rules with either one or two Layer 2 security zones. A webserver can send email out via SMTP through the Mail Server. No other communication is allowed between the two servers. When the servers are in the same Layer 2 DMZ Zone - in the diagram on the previous page the rule must specify the IP addresses in question AND include a deny rule to block all other trafc.
Security Rule - Policy within a single VLAN, single zone Comment Source Zone Destination Zone Source Addr. Destination Addr Application Action

Webserver sends email

DMZ

DMZ DMZ DMZ

192.168.1.2 192.168.1.3 SMTP any any any any any any

Allow Deny Allow

Deny all other intra- DMZ zone DMZ trafc implicit, DMZ intrazone rule DMZ

Layer 2 Networking Tech Note rev00A

3/09

However, realizing the different security postures of the two interfaces and the required communication between the Layer 2 interfaces, the rule below can be used. It is no longer necessary to enumerate specic hosts and addresses for intra-VLAN trafc, nor is a rule required to block all other trafc, as the implicit rule does this already.
Security Rule - Policy within a single VLAN, multiple zones Comment Source Zone Destination Zone Source Addr. Destination Addr Application Action

Webserver sends email implicit rule

DMZ-Web DMZ-Web

DMZ-Mail DMZ-Mail

any any

any any

SMTP any

Allow Deny

Interface Types
Policy rules always specify source and destination zones of the same type. Rules specifying Layer 2 zones only pass packets within the same VLAN. Rules specifying Layer 3 zones pass packets between networks. Neither Virtual Wire nor Layer 2 interfaces support NAT. Layer 3 interfaces - physical or virtual - must be used to facilitate NAT. When trafc originates from or terminates to a Layer 2 interface, policy rules will include the Layer 2 zone when the communication is intra-VLAN trafc. If the communication is between another network, the Layer 3 zone for the Virtual VLAN interface on the same VLAN is used. Interface Tap VWire Layer 2 Layer 3 VLAN In the diagram at the top of the next page, the dotted line marked with a represents a connection that originates on a Layer 2 interface, but since the destination is not in the VLAN, the source zone is the rst Layer 3 zone the packet passes through. In this case, the source zone will be the DMZ-L3 zone and the destination zone is the Untrust zone. Layer 3 Yes Zone Type Tap VWire Layer 2 NAT Support No No No

Layer 2 Networking Tech Note rev00A

3/09

Putting It All Together

To enable connectivity to the Internet in the example used so far, assign the Layer 3 interface (connected to the upstream network towards the Internet) to the Virtual Router. Finally, add NAT rules to for inbound and outbound communication.

NAT Rules
The NAT rules below enable static NAT for inbound web and mail trafc, along with outbound static NAT for outbound mail. Notice the use of the DMZ-L3 zone instead of the DMZ-Mail Layer 2 zone. Since the mail connections will traverse layer 3 networks, Layer 3 zones are used.
NAT Rules Comment Source Zone Dest. Zone Source Addr Dest. Addr Service

Translated Translated Dest Source

128.61.255.3

Outbound DMZ-L3 Untrust 192.168.1.3 Any mail relaying Inbound SMTP Inbound Web Untrust Untrust Untrust Any Untrust Any
128.62.255.3

SMTP SMTP HTTP

None
192.168.1.3

Any Any

128.62.255.2

192.168.1.2

Layer 2 Networking Tech Note rev00A

3/09

Security Rules
As with the NAT rules, the Layer 3 zone DMZ-L3 is used instead of the Layer 2 zones.
Security Rule Comment Source Zone Dest. Zone Source Addr
192.168.1.3

Dest. Addr

Application

Service

Action

Allow outbound mail relaying Allow inbound mail Allow inbound web

DMZ-L3 Untrust

Any

SMTP

application Allow -default

Untrust

DMZ-L3 Any

128.62.255.3

SMTP

application Allow -default

Untrust

DMZ-L3 Any

128.62.255.2

W e b - application Allow browsing -default

The diagram below represents the nal version of our Layer 2 and Layer 3 network.

Layer 2 Networking Tech Note rev00A

3/09

10

Layer 2 Networking Checklist

As a reminder, the following items will need to be checked or congured to enable Layer 2 interfaces to connect to other networks in addition to any other required PAN-OS conguration. Dene: at least two Layer 2 interfaces at least one Layer 2 Security Zone (for any intra-VLAN trafc) a VLAN a VLAN interface a Virtual Router at least one Layer 3 interface Attach: the Layer 2 interfaces and the VLAN interface to the VLAN the VLAN interface and the Layer 3 interface to the Virtual Router

Key Points to Remember

Layer 2 interfaces must be added to a VLAN to pass trafc No VLANs exist by default. At least one must be created if any Layer 2 interfaces are used A Layer 2 zone is only required for a Layer 2 interface if intra-VLAN trafc is needed Layer 2 zones are only used for intra-VLAN communication Layer 3 zones are used for communication between networks A default VLAN interface exists, called vlan A VLAN interface must be attached to a VLAN to allow connectivity to other networks No Virtual Routers exist by default. One must be created to connect a Layer 2 VLAN to other networks The default implicit action is Allow when source and destination are in the same zone The default implicit action is Deny when source and destination are in different zones

Layer 2 Networking Tech Note rev00A

3/09

11