Plan for Scaling when Your Firewall Serves DHCP
Table of Contents
Expand all | Collapse all
-
- Firewall and PAN-OS Support of IoT Security
- IoT Security Prerequisites
- Onboard IoT Security
- Onboard IoT Security on VM-Series with Software NGFW Credits
-
- DHCP Data Collection by Traffic Type
- Firewall Deployment Options for IoT Security
- Configure a Pre-PAN-OS 10.0 Firewall with a DHCP Server
- Configure a Pre-PAN-OS 10.0 Firewall for a Local DHCP Server
- Use a Tap Interface for DHCP Visibility
- Use a Virtual Wire Interface for DHCP Visibility
- Use SNMP Network Discovery to Learn about Devices from Switches
- Use Network Discovery Polling to Discover Devices
- Use ERSPAN to Send Mirrored Traffic through GRE Tunnels
- Use DHCP Server Logs to Increase Device Visibility
- Plan for Scaling when Your Firewall Serves DHCP
- Prepare Your Firewall for IoT Security
- Configure Policies for Log Forwarding
- Control Allowed Traffic for Onboarding Devices
- Support Isolated Network Segments
- IoT Security Integration with Prisma Access
- IoT Security Licenses
- Offboard IoT Security Subscriptions
-
- Introduction to IoT Security
- IoT Security Integration with Next-generation Firewalls
- IoT Security Portal
- Vertical-themed Portals
- Device-to-Site Mapping
- Sites and Site Groups
- Networks
- Network Segments Configuration
- Reports
- IoT Security Integration Status with Firewalls
- IoT Security Integration Status with Prisma Access
- Data Quality Diagnostics
- Authorize On-demand PCAP
- IoT Security Integrations with Third-party Products
- IoT Security and FedRAMP
Plan for Scaling when Your Firewall Serves DHCP
When your firewall serves DHCP, use these VLAN, addressing,
and routing strategies so you can scale the solution.
This section discusses scaling the solution
for when the firewall provides DHCP services as described in Configure a Pre-PAN-OS 10.0 Firewall with a DHCP Server.
Align Numbers of VLAN Subinterfaces with Physical Interfaces
For consistency, align the VLAN subinterface
numbers with the physical interface numbers they serve. For example,
interface vlan.1 serves DHCP for the network attached to ethernet1/1.
This allows you to associate them with each other faster and troubleshoot
issues more easily later.
Conserve IP Addresses for VLAN Subinterfaces
When
production IP address space is used for the VLAN interfaces, giving
them IP addresses with 32-bit netmasks will conserve address space.
You can use addresses from a single network (for example, 1.1.1.0/24)
for all the VLAN interfaces. Because these interfaces exist solely
to serve DHCP to a local network, the addresses assigned to the
VLAN interfaces don’t need to be routable in the rest of the enterprise.
Operationally, this means that the same network space and addresses
can be used for VLAN interfaces on all firewalls in the enterprise.
Configure a Network Route to all VLAN Interfaces
When
configuring this solution for multiple interfaces, the routing configuration
changes slightly. On the default (production) virtual router, you
can configure a network route to the VLAN interfaces instead of
a collection of host routes. In the figure below all of the VLAN
interfaces have addresses that can be summarized using a 1.1.1.0/24
route.
On the
DHCP virtual router, add network routes for each network for which
a VLAN interface serves DHCP and set the default (production) virtual
router as the next hop. Adding network rather than host routes for
the DHCP relay agents allows the probe feature on the DHCP servers
to function.