Configure a Physical Ethernet Interface for SD-WAN
Expand all | Collapse all
Configure a Physical Ethernet Interface for SD-WAN
Configure Ethernet Layer 3 interfaces with SD-WAN functionality.
In Panorama™, configure a physical, Layer
3 Ethernet interface and enable SD-WAN functionality. To configure
a physical interface, you must assign it an IPv4 address and a fully
qualified IP host address as the Next Hop Gateway, and assign an
SD-WAN Interface Profile to
the interface. (SD-WAN supports only a Layer 3 interface type; it
does not support Layer 2 networks such as VPLS.)
After you
use Panorama to create a VPN cluster and export your hub and branch
information in the CSV, Auto VPN configuration in the SD-WAN plugin
uses this information to generate a configuration for the associated
branches and hubs that includes the predefined SD-WAN zones and
creates secure VPN tunnels between SD-WAN branches and hubs. Auto
VPN configuration also generates the BGP configuration if you enter
BGP information in the CSV or in Panorama when you add an SD-WAN
branch or hub.
Select ,
select the appropriate template from the
Template
context drop-down,
select a slot number, such as Slot1, and select an interface (for example,
ethernet1/1).
Select the
Interface Type
as
Layer3
.
Select a
Virtual Router
or create
a new Virtual Router.
Assign the
Security Zone
that
is appropriate for the interface you’re configuring.
For example, if you are creating an uplink to an ISP, you
must know that the Ethernet interface you chose is going to an untrusted
zone.
On the
IPv4
tab,
Enable SD-WAN
.
Static
—In the
IP
field,
Add
an
IPv4 address and prefix length for the interface. You can use a
defined variable, such as $uplink, with a range of addresses. Enter
the fully qualified IPv4 address of the
Next Hop Gateway
(the
next hop from the IPv4 address you just entered). The Next Hop Gateway
must be on the same subnet as the IPv4 address. The Next Hop Gateway
is the IP address of the ISP’s default router that the ISP gave
you when you bought the service. It is the next hop IP address to which
the firewall sends traffic to reach the ISP’s network, and ultimately,
the internet and the hub.
(
PAN-OS 9.1.2 and later 9.1 releases, and SD-WAN Plugin
1.0.2 and later 1.0 releases
)
PPPoE
—
Enable
PPPoE
authentication for DSL links, enter the
Username
and
Password
,
and
Confirm Password
.
DHCP Client
—It is critical that DHCP
assigns a default gateway, also known as the next hop gateway for
the ISP connection. The ISP will provide all the necessary connectivity
information, such as dynamic IP address, DNS servers, and the default
gateway.
Although DHCP Client is supported
for a hub or branch interface, on a hub interface it is preferable
for you to assign a
Static
address instead
of DHCP Client. Using DHCP on a hub requires the Palo Alto Networks
DDNS service. Using a Static address at the hub site creates a more
stable environment because DDNS is not involved to resolve the DHCP
IP address changes, and because the DDNS service can take a few
minutes to register the new IP address when it changes. If you have
multiple branch sites connecting to a hub site, having stability
is critical to keeping the network up and running.
If you select DHCP Client, be sure to disable the
option
Automatically create default route pointing to default
gateway provided by server
, which is enabled by default.
On the
SD-WAN
tab, select an
SD-WAN
Interface Profile
that you already created (or create
a new
SD-WAN Interface Profile)
to apply to this interface. The SD-WAN Interface Profile has an
associated link tag, so the interfaces where this profile is applied
will have the associated link tag. An interface can have only one
link tag.
Click
OK
to save the Ethernet
interface.
Commit
and
Commit and Push
your
configuration changes.