Configure Layer 3 Subinterfaces for SD-WAN
Table of Contents
Configure Layer 3 Subinterfaces for SD-WAN
Configure Layer 3 subinterfaces for SD-WAN.
Firewalls running PAN-OS 11.0 and SD-WAN Plugin
2.1.0 support SD-WAN on Layer 3 subinterfaces so that the firewall
can segment traffic using VLAN tags. The following task shows how
to create a Layer3 subinterface that uses a static IP address and
how to create one that uses DHCP to get its address. It shows how
to assign a VLAN tag to the subinterface and enable SD-WAN on the
subinterface. Create an SD-WAN interface profile to define each
ISP connection and assign the profile to the corresponding subinterface
(a virtual SD-WAN interface).
If you configure SD-WAN Layer 3 subinterfaces on VM-Series firewalls, the VMware configuration
must have respective portgroups attached to those interfaces that allow all
VLANs.
PPPoE is not supported on subinterfaces.
- Configure an SD-WAN Interface Profile for each ISP connection (subinterface) to define its link attributes.
- Create a Layer 3 subinterface that uses a static IPv4 address.
- Select and in theTemplatefield select a template.
- Select an interface.
- ForInterface Type, selectLayer3and clickOK.
- Highlight the interface and clickAdd Subinterfaceat the bottom of the screen.
- After theInterface Nameand period, enter the subinterface number.
- Enter aTagfor the subinterface (range is 1 to 4,094). For ease of use, make the tag the same number as the subinterface ID.
- On theIPv4tab,Enable SD-WAN.
- Select theTypeof address:Static.
- AddtheIPaddress and subnet mask.
- Enter the IP address of theNext Hop Gateway.
- ClickOK.
- Create a Layer 3 subinterface that uses a static IPv6 address.
- Perform the first six substeps of the step to create a Layer 3 subinterface that uses a static IPv4 address, because they are the same for an IPv6 address.
- On theIPv6tab,Enable IPv6 on the interfaceandEnable SD-WAN.
- In theEUI-64 (default 64-bit Extended Unique Identifier)field, enter the 64-bit EUI in hexadecimal format. If you leave this field blank, the firewall uses the EUI-64 generated from the MAC address of the physical interface. If you enable theUse interface ID as host portionoption when adding an address, the firewall uses the Interface ID as the host portion of that address.
- Select theTypeof address:Static.
- SelectAddress Assignment.
- Addan IPv6Addressfor the interface or selectNew Variableto create the variable. SD-WAN supports one IPv6 address per physical interface.
- Enable address on interface.
- Use interface ID as host portion—.See the third substep above for explanation.
- Anycast—Select to make the IPv6 address (route) an Anycast address (route), which means multiple locations can advertise the same prefix, and IPv6 sends the anycast traffic to the node it considers the nearest, based on routing protocol costs and other factors.
- Next Hop Gateway—Enter the IPv6 address of the Next Hop Gateway (the next hop from the IPv6 address you entered). The Next Hop Gateway must be on the same subnet as the IPv6 address. The Next Hop Gateway is the IP address of the ISP’s default router that the ISP gave you when you bought the service. It is the next hop IP address to which the firewall sends traffic to reach the ISP’s network, and ultimately, the internet and the hub.
- Send Router Advertisement—Select to enable the firewall to send this address in Router Advertisements (RAs), in which case you must also enable the globalEnable Router Advertisementoption for the interface (on theRouter Advertisementtab).
- Valid Lifetime (sec)—Enter the valid lifetime (in seconds) that the firewall considers the address valid. The valid lifetime must equal or exceed thePreferred Lifetime (sec)(default is 2,592,000).
- Preferred Lifetime (sec)—Enter the preferred lifetime (in seconds) that the valid address is preferred, which means the firewall can use it to send and receive traffic. After the preferred lifetime expires, the firewall can't use the address to establish new connections, but any existing connections are valid until the valid lifetime expires (default is 604,800).
- On-link—Select if systems that have addresses within the prefix are reachable without a router.
- Autonomous—Select if systems can independently create an IP address by combining the advertised prefix with an Interface ID.
- ClickOK.
- As an alternative to a static address, create a Layer 3 subinterface that uses DHCP to get its IPv4 address.
- Select and in theTemplatefield, select a template stack (not a template).
- Select an interface.
- ForInterface Type, selectLayer3and clickOK.
- Highlight the interface and clickAdd Subinterfacesat the bottom of the screen.
- Highlight the subinterface and clickOverride.
- Highlight the subinterface and after theInterface Nameand period, enter the subinterface number.
- Enter aTagfor the subinterface (range is 1 to 4,094). For ease of use, make the tag the same number as the subinterface ID.
- On theIPv4tab,Enable SD-WAN.
- SelectTypeof address:DHCP ClientandEnable.
- Uncheck (do not select)Automatically create default route pointing to default gateway provided by server.
- Select theAdvancedtab and then theDDNStab.
- SelectSettingsandEnable. TheHostnameis automatically generated by the Panorama SD-WAN plugin.
- Select theVendorasPalo Alto Networks DDNS.
- ClickOK.
- Apply an SD-WAN Interface Profile to the subinterface.
- Highlight the subinterface you created and select theSD-WANtab.
- Select theSD-WAN Interface Profileyou created for this link or create a new profile.
- ClickOK.
- Repeat the prior steps to add more subinterfaces to the interface.
- Commit.