Best option for a Vwire with tagged and untagged traffic.
Hello guys, how are you today ? I hope everthing OK thank you very much as always for the collaboration.
What is the best option when it comes to setting up a Vwire environment with tagged and untagged traffic, ie.
VLANS=====1 Untagged, vlan + 20,30,40=============CoreTrunk=======1 Untagged, vlan tagged:20,30,40 ----Palo Alto Vwire===============Switch-01====Untagged, vlan + 20,30,40
What is the best option when using labeled and unlabeled traffic, thinking about the best visibility and detail of the traffic, that is:
Which is the best option:
1.-Set up subinterfaces with tag 20,30 and 40. and Set up some subinterfaces with TAG 0 (VLAN ID "0" Zero as the documentation indicates that indicates untagged traffic).
2.- Build subinterfaces with tag 20, 30 and 40 and then build a classic, traditional vwire, using and referencing the physical interfaces, by default which already allows untagged traffic (without specifying vlan tags).
3.- Or simply better everything in a Vwire allowing in the Tagged Allow 0-4094 (or allowing "0" for untagged traffic) and then putting the TAGs of 20,30 and 40, that is, this is how the vlans would be tagged of vwire "0",20,30,40. With this scheme, visibility and control are lost.
Which would be the best Vwire options, when you have L2 and L3 interfaces with subinterfaces, just let the untagged traffic pass through the physical interface, not the sub-interfaces, this applies to L2 and L3 interfaces/subinterfaces, but for Vwire you have to use VLAN ID 0, which identifies the tagged traffic. In my opinion, the best option or options would be options 1 and 2, since 3 loses all visibility, the best option would be 1, subinterfaces even with ID 0 for untagged traffic.
What do you think, what do you think is the best option based on your experience, based on your point of view.
Thank you for your comments, for your collaboration, for your time and for the good vibes.
Link/details Supporting Documentation - Virtual Wire - Palo Alto VLAN ID 0 untagged:
"Virtual wire interfaces by default allow all untagged traffic. You can, however, use a virtual wire to connect two interfaces and configure either interface to block or allow traffic based on the virtual LAN (VLAN) tags. VLAN tag 0 indicates untagged traffic.
You can also create multiple subinterfaces, add them into different zones, and then classify traffic according to a VLAN tag or a combination of a VLAN tag with IP classifiers (address, range, or subnet) to apply granular policy control for specific VLAN tags or for VLAN tags from a specific source IP address, range, or subnet."
"You can also use IP classifiers for managing untagged traffic. To do so, you must create a sub-interface with the vlan tag “0”, and define subinterface(s) with IP classifiers for managing untagged traffic using IP classifiers."
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/configure-interfaces/virtual-wire-interfaces/virtual-wire-subinterfaces#:~:text=You%20can %20also%20use%20IP%20classifiers%20for%20managing%20untagged%20traffic.%20To%20do%20so%2C%20you%20must%20create%20a%20sub%2Dinterface%20with%20the%20vlan%20tag%20%E2% 80%9C0%E2%80%9D%2C%20and%20define%20subinterface(s)%20with%20IP%20classifiers%20for%20managing%20untagged%20traffic%20using%20IP%20classifiers.
Stay tuned
Kind regards
will not work, you can't set a tag0 for untagged, for untagged you simply use the 'base' interface
yes, this is a good setup as it allows you to add unique zones to each vlan inside and outside
you can put everything in a single vwire and optionally apply tagging (you can set 0,10,20,30 so you only allow your untagged and the 3 tagged and block any stray tagged traffic) but as you mention this will mean 1 set of zones is applied to all 4 "connections". for vwires this is less 'bad practice' than l2 or l3 because the traffic is completely segregated from interacting so there can't be any security policy that 'leaks' sessions from one vlan into another, but it does interfere with visibility
option 2 would be the preferred