End-of-Life (EoL)
Network > Interfaces > VLAN
A VLAN interface can provide routing into a Layer 3
network (IPv4 and IPv6). You can add one or more Layer 2 Ethernet
ports (see PA-7000
Series Layer 2 Interface) to a VLAN interface.
VLAN Interface Settings | Configure In | Description |
---|---|---|
Interface Name | VLAN Interface | The read-only Interface Name is
set to vlan . In the adjacent field, enter a numeric suffix (1-9999)
to identify the interface. |
Comment | Enter an optional description for the interface. | |
Netflow Profile | If you want to export unidirectional IP
traffic that traverses an ingress interface to a NetFlow server,
select the server profile or click Netflow Profile to
define a new profile (see Device
> Server Profiles > NetFlow). Select None to
remove the current NetFlow server assignment from the interface. | |
VLAN | VLAN
Interface Config | Select a VLAN or click VLAN to
define a new one (see Network
> VLANs). Select None to remove the
current VLAN assignment from the interface. |
Virtual Router | Assign a virtual router to the interface,
or click Virtual Router to define a new one
(see Network
> Virtual Routers). Select None to
remove the current virtual router assignment from the interface. | |
Virtual System | If the firewall supports multiple virtual
systems and that capability is enabled, select a virtual system
(vsys) for the interface or click Virtual System to
define a new vsys. | |
Security Zone | Select a security zone for the interface,
or click Zone to define a new zone. Select None to remove
the current zone assignment from the interface. | |
Management Profile | VLAN
Interface Advanced Other Info | Management Profile —Select
a profile that defines the protocols (for example, SSH, Telnet,
and HTTP) you can use to manage the firewall over this interface.
Select None to remove the current profile
assignment from the interface. |
MTU | Enter the maximum transmission unit (MTU)
in bytes for packets sent on this interface (range is 576-9,192;
default is 1,500). If machines on either side of the firewall perform Path
MTU Discovery (PMTUD) and the interface receives a packet exceeding
the MTU, the firewall returns an ICMP fragmentation needed message
to the source indicating the packet is too large. | |
Adjust TCP MSS | Select to adjust the maximum segment size
(MSS) to accommodate bytes for any headers within the interface
MTU byte size. The MTU byte size minus the MSS Adjustment Size equals
the MSS byte size, which varies by IP protocol:
Use these settings to address
the case where a tunnel through the network
requires a smaller MSS. If a packet has more bytes than the MSS
without fragmentation, this setting enables the adjustment.Encapsulation
adds length to headers, so it helps to configure the MSS adjustment
size to allow bytes for such things as an MPLS header or tunneled
traffic that has a VLAN tag. | |
IP Address MAC Address Interface | VLAN Interface Advanced ARP Entries | To add one or more static Address Resolution
Protocol (ARP) entries, click Add and enter an
IP address, enter its associated hardware [media access control
(MAC)] address, and select a Layer 3 interface that can access the
hardware address. To delete an entry, select the entry and click Delete .
Static ARP entries reduce ARP processing and preclude man-in-the-middle
attacks for the specified addresses. |
IPv6 Address MAC Address | VLAN Interface Advanced ND Entries | To provide neighbor information for Neighbor
Discovery Protocol (NDP), click Add and enter
the IPv6 address and MAC address of the neighbor. |
Enable NDP Proxy | VLAN
Interface Advanced NDP Proxy | Select to enable Neighbor Discovery Protocol
(NDP) Proxy for the interface. The firewall will respond to ND packets
requesting MAC addresses for IPv6 addresses in this list. In the
ND response, the firewall sends its own MAC address for the interface,
and is basically saying, “send me the packets meant for these addresses.” ( Recommended )
Enable NDP Proxy if you are using Network Prefix Translation IPv6 (NPTv6).If
you Enable NDP Proxy , you can filter numerous Address entries:
first enter a filter and then apply it (green arrow). |
Address | Add one or more IPv6
addresses, IP ranges, IPv6 subnets, or address objects for which
the firewall will act as NDP Proxy. Ideally, one of these addresses
is the same address as that of the source translation in NPTv6.
The order of addresses does not matter.If the address is
a subnetwork, the firewall will send an ND response for all addresses
in the subnet, so we recommend you also add the firewall’s IPv6
neighbors and then click Negate to instruct
the firewall not to respond to these IP addresses. | |
Negate | Select Negate for
an address to prevent NDP proxy for that address. You can negate
a subset of the specified IP address range or IP subnet. | |
For an IPv4 address | ||
Type | VLAN Interface IPv4 | Select the method for assigning an IPv4
address type to the interface:
Firewalls
that are in active/active high availability (HA) mode don’t support
DHCP Client. Based on your IP address method selection,
the options displayed in the tab will vary. |
| ||
IP | VLAN Interface IPv4 | Click Add , then perform
one of the following steps to specify a static IP address and network
mask for the interface.
You can enter multiple IP addresses
for the interface. The forwarding information base (FIB) your system
uses determines the maximum number of IP addresses. Delete an
IP address when you no longer need it. |
IPv4 address Type = DHCP | ||
Enable | VLAN
Interface IPv4 | Select to activate the DHCP client on the
interface. |
Automatically create default route pointing
to default gateway provided by server | Select to automatically create a default
route that points to the default gateway that the DHCP server provides. | |
Default Route Metric | For the route between the firewall and DHCP
server, optionally enter a route metric (priority level) to associate
with the default route and to use for path selection (range is 1-65,535;
there is no default). The priority level increases as the numeric
value decreases. | |
Show DHCP Client Runtime Info | Select to display all settings received
from the DHCP server, including DHCP lease status, dynamic IP address
assignment, subnet mask, gateway, and server settings (DNS, NTP, domain,
WINS, NIS, POP3, and SMTP). | |
For an IPv6 address | ||
Enable IPv6 on the interface | VLAN
Interface IPv6 | Select to enable IPv6 addressing on this
interface. |
Interface ID | Enter the 64-bit extended unique identifier
(EUI-64) in hexadecimal format (for example, 00:26:08:FF:FE:DE:4E:29).
If you leave this field blank, the firewall uses the EUI-64 generated
from the MAC address of the physical interface. If you enable the Use
interface ID as host portion option when adding an address,
the firewall uses the interface ID as the host portion of that address. | |
Address | VLAN Interface IPv6 (cont) | Click Add and configure
the following parameters for each IPv6 address:
|
Enable Duplication Address Detection | VLAN
Interface IPv6 Address Resolution | Select to enable duplicate address detection
(DAD), which allows you to specify the number of DAD Attempts . |
DAD Attempts | Specify the number of DAD attempts within
the neighbor solicitation interval ( NS Interval )
before the attempt to identify neighbors fails (range is 1-10; default
is 1). | |
Reachable Time | Specify the length of time, in seconds,
that a neighbor remains reachable after a successful query and response
(range is 1-36,000; default is 30). | |
NS Interval (neighbor solicitation interval) | Specify the number of seconds for DAD attempts
before failure is indicated (range is 1-10; default is 1). | |
Enable NDP Monitoring | Select to enable Neighbor Discovery Protocol
monitoring. When enabled, you can select the NDP (
![]() | |
Enable Router Advertisement | VLAN
Interface IPv6 Router Advertisement | Select to provide Neighbor Discovery on
IPv6 interfaces and configure the other fields in this section.
IPv6 DNS clients that receive the router advertisement (RA) messages
use this information. RA enables the firewall to act as a
default gateway for IPv6 hosts that are not statically configured
and to provide the host with an IPv6 prefix for address configuration.
You can use a separate DHCPv6 server in conjunction with this feature
to provide DNS and other settings to clients. This is a global
setting for the interface. If you want to set RA options for individual
IP addresses, Add an Address to
the IP address table and configure it. If you set RA options for
any IP address, you must Enable Router Advertisement for
the interface. |
Min Interval (sec) | Specify the minimum interval, in seconds,
between RAs that the firewall will send (range is 3-1,350; default
is 200). The firewall will send RAs at random intervals between
the minimum and maximum values you configure. | |
Max Interval (sec) | Specify the maximum interval, in seconds,
between RAs that the firewall will send (range is 4-1,800; default
is 600). The firewall will send RAs at random intervals between
the minimum and maximum values you configure. | |
Hop Limit | Specify the hop limit to apply to clients
for outgoing packets (range is 1-255; default is 64). Enter 0 for
no hop limit. | |
Link MTU | Specify the link maximum transmission unit
(MTU) to apply to clients. Select unspecified for
no link MTU (range is 1280-9192; default is unspecified). | |
Reachable Time (ms) | Specify the reachable time, in milliseconds,
that the client will use to assume a neighbor is reachable after
receiving a reachability confirmation message. Select unspecified for
no reachable time value (range is 0-3,600,000; default is unspecified). | |
Retrans Time (ms) | Specify the retransmission timer that determines
how long the client will wait (in milliseconds) before retransmitting
neighbor solicitation messages. Select unspecified for no
retransmission time (range is 0-4,294,967,295; default is unspecified). | |
Router Lifetime (sec) | Specify how long, in seconds, the client
will use the firewall as the default gateway (range is 0-9,000;
default is 1,800). Zero specifies that the firewall is not the default
gateway. When the lifetime expires, the client removes the firewall
entry from its Default Router List and uses another router as the
default gateway. | |
Router Preference | If the network segment has multiple IPv6
routers, the client uses this field to select a preferred router.
Select whether the RA advertises the firewall router as having a High , Medium (default),
or Low priority relative to other routers
on the segment. | |
Managed Configuration | Select to indicate to the client that addresses
are available via DHCPv6. | |
Other Configuration | Select to indicate to the client that other
address information (for example, DNS-related settings) is available
via DHCPv6. | |
Consistency Check | VLAN Interface IPv6 Router Advertisement (cont) | Select if you want the firewall to verify
that RAs sent from other routers are advertising consistent information
on the link. The firewall logs any inconsistencies in a system log; the
type is ipv6nd . |
Include DNS information in Router Advertisement | VLAN
Interface IPv6 DNS Support | Select for the firewall to send DNS information
in NDP router advertisements from this IPv6 VLAN interface. The
other DNS Support fields in this table are visible only after you select
this option. |
Server | Add one or more recursive
DNS (RDNS) server addresses for the firewall to send in NDP router
advertisements from this IPv6 VLAN interface. RDNS servers send
a series of DNS lookup requests to root DNS servers and authoritative
DNS servers to ultimately provide an IP address to the DNS client.You
can configure a maximum of eight RDNS servers that the firewall
sends— in the order listed from top to bottom—in an NDP router advertisement
to the recipient, which then uses them in the same order. Select
a server and Move Up or Move Down to
change the order of the servers or Delete a
server from the list when you no longer need it. | |
Lifetime | Enter the maximum number of seconds after
the IPv6 DNS client receives the router advertisement that it can
use the RDNS servers to resolve domain names (range is the value
of Max
Interval (sec) to twice the Max Interval; default is 1,200). | |
Suffix | Add and configure
one or more domain names (suffixes) for the DNS search list (DNSSL). The
maximum suffix length is 255 bytes.A DNS search list is a
list of domain suffixes that a DNS client router appends (one at
a time) to an unqualified domain name before it enters the name
into a DNS query, thereby using a fully qualified domain name in
the DNS query. For example, if a DNS client tries to submit a DNS
query for the name “quality” without a suffix, the router appends
a period and the first DNS suffix from the DNS search list to the
name and then transmits the DNS query. If the first DNS suffix on
the list is “company.com”, the resulting DNS query from the router
is for the fully qualified domain name “quality.company.com”. If
the DNS query fails, the router appends the second DNS suffix from
the list to the unqualified name and transmits a new DNS query.
The router tries DNS suffixes until a DNS lookup is successful (ignores
the remaining suffixes) or until the router has tried all of suffixes
on the list. Configure the firewall with the suffixes that
you want to provide to the DNS client router in a Neighbor Discovery
DNSSL option; the DNS client receiving the DNSSL option uses the
suffixes in its unqualified DNS queries. You can configure
a maximum of eight domain names (suffixes) for a DNS search list
that the firewall sends—in order listed from top to bottom—in an
NDP router advertisement to the recipient, which uses those addresses
in the same order. Select a suffix and Move Up or Move
Down to change the order of the suffixes or Delete a
suffix from the list when you no longer need it. | |
Lifetime | Enter the maximum number of seconds after
the IPv6 DNS client receives the router advertisement that it can
use a domain name (suffix) on the DNS search list (range is the value
of Max
Interval (sec) to twice the Max Interval; default is 1,200). |
Recommended For You
Recommended Videos
Recommended videos not found.