Configure a Physical Ethernet Interface for SD-WAN
Table of Contents
Expand all | Collapse all
-
- Create a Link Tag
- Configure an SD-WAN Interface Profile
- Configure a Physical Ethernet Interface for SD-WAN
- Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN
- Configure Layer 3 Subinterfaces for SD-WAN
- Configure a Virtual SD-WAN Interface
- Create a Default Route to the SD-WAN Interface
-
- Create a Path Quality Profile
-
- Create a SaaS Quality Profile
- Use Case: Configure SaaS Monitoring for a Branch Firewall
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to the Same SaaS Application Destination
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination
- SD-WAN Traffic Distribution Profiles
- Create a Traffic Distribution Profile
- Create an Error Correction Profile
- Configure an SD-WAN Policy Rule
- Allow Direct Internet Access Traffic Failover to MPLS Link
- Configure DIA AnyPath
- Distribute Unmatched Sessions
- Configure Multiple Virtual Routers on SD-WAN Hub
- Configure HA Devices for SD-WAN
- Create a VPN Cluster
- Create a Full Mesh VPN Cluster with DDNS Service
- Create a Static Route for SD-WAN
Configure a Physical Ethernet Interface for SD-WAN
Configure Ethernet Layer 3 interfaces with SD-WAN functionality.
In Panorama™, configure a physical, Layer
3 Ethernet interface and enable SD-WAN functionality. To configure
a physical interface, you must assign it an IPv4 address and a fully
qualified Next Hop Gateway, and assign an SD-WAN Interface Profile to
the interface. (SD-WAN supports only a Layer 3 interface type; it
does not support Layer 2 networks such as VPLS.)
After you
use Panorama to create a VPN cluster and export your hub and branch
information in the CSV, Auto VPN configuration in the SD-WAN plugin
uses this information to generate a configuration for the associated
branches and hubs that includes the predefined SD-WAN zones and
creates secure VPN tunnels between SD-WAN branches and hubs. Auto
VPN configuration also generates the BGP configuration if you enter
BGP information in the CSV or in Panorama when you add an SD-WAN
branch or hub.
- Select, select the appropriate template from theNetworkInterfacesEthernetTemplatecontext drop-down, select a slot number, such as Slot1, and select an interface (for example, ethernet1/1).
- Select theInterface TypeasLayer3.
- Select aVirtual Routeror create a new Virtual Router.
- Assign theSecurity Zonethat is appropriate for the interface you’re configuring.For example, if you are creating an uplink to an ISP, you must know that the Ethernet interface you chose is going to an untrusted zone.
- On theIPv4tab,Enable SD-WAN.
- SelectTypeof address:
- Static—In theIPfield,Addan IPv4 address and prefix length for the interface. You can use a defined variable, such as $uplink, with a range of addresses. Note that you can only add an IPv4 address or a defined variable and not an address object for the IP field. Enter the fully qualified IPv4 address of theNext Hop Gateway(the next hop from the IPv4 address you just entered). The Next Hop Gateway must be on the same subnet as the IPv4 address. The Next Hop Gateway is the IP address of the ISP’s default router that the ISP gave you when you bought the service. It is the next hop IP address to which the firewall sends traffic to reach the ISP’s network, and ultimately, the internet and the hub.
- PPPoE—EnablePPPoE authentication for DSL links, enter theUsernameandPassword, andConfirm Password.
- DHCP Client—It is critical that DHCP assigns a default gateway, also known as the next hop gateway for the ISP connection. The ISP will provide all the necessary connectivity information, such as dynamic IP address, DNS servers, and the default gateway.Although DHCP Client is supported for a hub or branch interface, on a hub interface it is preferable for you to assign aStaticaddress instead of DHCP Client. Using DHCP on a hub requires the Palo Alto Networks DDNS service. Using a Static address at the hub site creates a more stable environment because DDNS is not involved to resolve the DHCP IP address changes, and because the DDNS service can take a few minutes to register the new IP address when it changes. If you have multiple branch sites connecting to a hub site, having stability is critical to keeping the network up and running.If you select DHCP Client, be sure to disable the optionAutomatically create default route pointing to default gateway provided by server, which is enabled by default.
- On theSD-WANtab, select anSD-WAN Interface Profilethat you already created (or create a new SD-WAN Interface Profile) to apply to this interface. The SD-WAN Interface Profile has an associated link tag, so the interfaces where this profile is applied will have the associated link tag. An interface can have only one link tag.
- ClickOKto save the Ethernet interface.
- CommitandCommit and Pushyour configuration changes.
- (SD-WAN manual configuration only) Configure a Virtual SD-WAN Interface. Auto VPN configuration will perform this task if you are using Auto VPN.