Interface Configurations
Each interface includes configurations for binding various services to them. HTTPS includes the WebUI service and should be included on at least one interface. The Permitted IP Address entries allow an Access Control List to be included, restricting access to any interface with this profile assigned.
Palo Alto firewalls provide a number of traffic-handling objects to move traffic between interfaces and typically are required for that movement. The available types are VLAN objects (VLANs) for Layer 2 traffic, virtual routers for Layer 3 traffic, and virtual wires for virtual wire interfaces.
Simultaneous implementations of multiple handler types in multiple quantities are possible. Each object contains configuration capability appropriate to its protocol-handing needs. Virtual routers implement various dynamic routing support if desired.
Each Layer 3 dynamic routing protocol includes appropriate specific configuration options. An example of OSPF v2 follows.
IPSec tunnels are considered Layer 3 traffic segments for implementation purposes and are handled by virtual routers as any other network segment. Forwarding decisins are made by destination address, not by VPN policy.
SW1#configure terminal
SW1(config)#interface fastethernet0/10
SW1(config-if)#description ### TRUNK TO PA-200 Eth1/3 ###
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport trunk allowed vlan 11 // ALLOW ONLY VLAN 11
SW1(config-if)#switchport mode trunk
SW1(config-if)#
*Mar 1 01:03:02.104: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, changed state to down
*Mar 1 01:03:02.104: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Mar 1 01:03:05.124: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, changed state to up
*Mar 1 01:03:35.138: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
*Mar 1 01:03:35.138: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan201, changed state to up
SW1(config)#exit
SW1(config)#vlan 11 // LAYER 2 VLAN
SW1(config-vlan)#name GUEST
SW1(config-vlan)#exit
SW1(config)#interface fastethernet0/13
SW1(config-if)#switchport host // MACRO COMMAND THAT ENABLES ACCESS MODE AND PORTFAST ON A SWITCH PORT
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
SW1(config-if)#switchport access vlan 11
SW1(config-if)#description ### GUEST PC ###
SW1(config-if)#end
SW1#
*Mar 1 01:01:08.422: %SYS-5-CONFIG_I: Configured from console by console
SW1#show run interface fastethernet0/10
Building configuration...
Current configuration : 139 bytes
!
interface FastEthernet0/10
description ### TRUNK TO PA-200 Eth1/3 ###
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 11
switchport mode trunk
end
SW1#show run interface fastethernet0/13
Building configuration...
Current configuration : 139 bytes
!
interface FastEthernet0/13
description ### GUEST PC ###
switchport access vlan 11
switchport mode access
spanning-tree portfast
end
C:\Users\John Lloyd>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : JohnLloyd-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : lagura.com
Ethernet adapter Local Area Connection* 27:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Check Point Virtual Network Adapter For S
SL Network Extender
Physical Address. . . . . . . . . : 54-60-B4-08-E2-25
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 78-2B-CB-D4-A0-85
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10(Preferred)
IPv4 Address. . . . . . . . . . . : 172.17.11.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Saturday, March 18, 2017 12:22:45 PM
Lease Expires . . . . . . . . . . : Saturday, March 18, 2017 8:22:45 PM
Default Gateway . . . . . . . . . : 172.17.11.1
DHCP Server . . . . . . . . . . . : 172.17.11.1
DHCPv6 IAID . . . . . . . . . . . : 242756555
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-FF-27-59-78-2B-CB-D4-A0-85
DNS Servers . . . . . . . . . . . : 8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled
C:\Users\John Lloyd>ping 172.17.11.1
Pinging 172.17.11.1 with 32 bytes of data:
Reply from 172.17.11.1: bytes=32 time=9ms TTL=64
Reply from 172.17.11.1: bytes=32 time=1ms TTL=64
Reply from 172.17.11.1: bytes=32 time=1ms TTL=64
Reply from 172.17.11.1: bytes=32 time<1ms TTL=64
Ping statistics for 172.17.11.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 9ms, Average = 2ms
C:\Users\John Lloyd>tracert 8.8.8.8
Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:
1 1 ms 1 ms <1 ms 172.17.11.1
2 8 ms 9 ms 6 ms 10.47.0.1
3 8 ms 7 ms 7 ms 172.20.43.65
4 9 ms 11 ms 10 ms 172.20.9.226
5 11 ms 18 ms 9 ms 203.116.188.85
6 6 ms 7 ms 7 ms 203.117.36.21
7 7 ms 7 ms 7 ms 203.117.35.77
8 25 ms 11 ms 9 ms 203.117.34.34
9 7 ms 6 ms 8 ms 72.14.196.189
10 8 ms 6 ms 7 ms 108.170.242.65
11 8 ms 6 ms 7 ms 108.170.237.229
12 9 ms 6 ms 7 ms google-public-dns-a.google.com [8.8.8.8]
Trace complete.
Each interface includes configurations for binding various services to them. HTTPS includes the WebUI service and should be included on at least one interface. The Permitted IP Address entries allow an Access Control List to be included, restricting access to any interface with this profile assigned.
Palo Alto firewalls provide a number of traffic-handling objects to move traffic between interfaces and typically are required for that movement. The available types are VLAN objects (VLANs) for Layer 2 traffic, virtual routers for Layer 3 traffic, and virtual wires for virtual wire interfaces.
Simultaneous implementations of multiple handler types in multiple quantities are possible. Each object contains configuration capability appropriate to its protocol-handing needs. Virtual routers implement various dynamic routing support if desired.
Each Layer 3 dynamic routing protocol includes appropriate specific configuration options. An example of OSPF v2 follows.
IPSec tunnels are considered Layer 3 traffic segments for implementation purposes and are handled by virtual routers as any other network segment. Forwarding decisins are made by destination address, not by VPN policy.
SW1#configure terminal
SW1(config)#interface fastethernet0/10
SW1(config-if)#description ### TRUNK TO PA-200 Eth1/3 ###
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport trunk allowed vlan 11 // ALLOW ONLY VLAN 11
SW1(config-if)#switchport mode trunk
SW1(config-if)#
*Mar 1 01:03:02.104: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, changed state to down
*Mar 1 01:03:02.104: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Mar 1 01:03:05.124: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, changed state to up
*Mar 1 01:03:35.138: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
*Mar 1 01:03:35.138: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan201, changed state to up
SW1(config)#exit
SW1(config)#vlan 11 // LAYER 2 VLAN
SW1(config-vlan)#name GUEST
SW1(config-vlan)#exit
SW1(config)#interface fastethernet0/13
SW1(config-if)#switchport host // MACRO COMMAND THAT ENABLES ACCESS MODE AND PORTFAST ON A SWITCH PORT
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
SW1(config-if)#switchport access vlan 11
SW1(config-if)#description ### GUEST PC ###
SW1(config-if)#end
SW1#
*Mar 1 01:01:08.422: %SYS-5-CONFIG_I: Configured from console by console
SW1#show run interface fastethernet0/10
Building configuration...
Current configuration : 139 bytes
!
interface FastEthernet0/10
description ### TRUNK TO PA-200 Eth1/3 ###
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 11
switchport mode trunk
end
SW1#show run interface fastethernet0/13
Building configuration...
Current configuration : 139 bytes
!
interface FastEthernet0/13
description ### GUEST PC ###
switchport access vlan 11
switchport mode access
spanning-tree portfast
end
C:\Users\John Lloyd>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : JohnLloyd-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : lagura.com
Ethernet adapter Local Area Connection* 27:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Check Point Virtual Network Adapter For S
SL Network Extender
Physical Address. . . . . . . . . : 54-60-B4-08-E2-25
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 78-2B-CB-D4-A0-85
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10(Preferred)
IPv4 Address. . . . . . . . . . . : 172.17.11.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Saturday, March 18, 2017 12:22:45 PM
Lease Expires . . . . . . . . . . : Saturday, March 18, 2017 8:22:45 PM
Default Gateway . . . . . . . . . : 172.17.11.1
DHCP Server . . . . . . . . . . . : 172.17.11.1
DHCPv6 IAID . . . . . . . . . . . : 242756555
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-FF-27-59-78-2B-CB-D4-A0-85
DNS Servers . . . . . . . . . . . : 8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled
C:\Users\John Lloyd>ping 172.17.11.1
Pinging 172.17.11.1 with 32 bytes of data:
Reply from 172.17.11.1: bytes=32 time=9ms TTL=64
Reply from 172.17.11.1: bytes=32 time=1ms TTL=64
Reply from 172.17.11.1: bytes=32 time=1ms TTL=64
Reply from 172.17.11.1: bytes=32 time<1ms TTL=64
Ping statistics for 172.17.11.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 9ms, Average = 2ms
C:\Users\John Lloyd>tracert 8.8.8.8
Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:
1 1 ms 1 ms <1 ms 172.17.11.1
2 8 ms 9 ms 6 ms 10.47.0.1
3 8 ms 7 ms 7 ms 172.20.43.65
4 9 ms 11 ms 10 ms 172.20.9.226
5 11 ms 18 ms 9 ms 203.116.188.85
6 6 ms 7 ms 7 ms 203.117.36.21
7 7 ms 7 ms 7 ms 203.117.35.77
8 25 ms 11 ms 9 ms 203.117.34.34
9 7 ms 6 ms 8 ms 72.14.196.189
10 8 ms 6 ms 7 ms 108.170.242.65
11 8 ms 6 ms 7 ms 108.170.237.229
12 9 ms 6 ms 7 ms google-public-dns-a.google.com [8.8.8.8]
Trace complete.
No comments:
Post a Comment