PAN-OS OpenConfig Administrator’s Guide
    : VLAN
    Focus
    Download PDF
    Focus
    1. Home
    2. OpenConfig
    3. PAN-OS OpenConfig Administrator’s Guide
    4. OpenConfig Models
    5. VLAN
    Download PDF

    PAN-OS OpenConfig Administrator’s Guide

    VLAN

    Table of Contents

    VLAN

    Getting started with openconfig-vlan using PAN-OS OpenConfig plugin.
    The OpenConfig model has different behavior when managing Layer2 and Layer3 ethernet interfaces and adding them to VLANs. For all VLAN settings:
    • All interfaces are considered trunk interfaces.
    • The model supports only trunk-vlans and native-vlans.
    • Untagged ethernet interfaces are supported through native-vlans.
    • Only single-tagged integer-based VLAN identifiers are supported.
    • To change the VLAN tag of a subinterface use the interfaces/interface/subinterfaces/subinterface/vlan/match/single-tagged/config/vlan-id path.

    Layer 2 VLAN Behavior

    • For each trunk VLAN that you assign to a switched VLAN, a VLAN will be created on PAN-OS and bound to that interface.
    • When you add an interface to a VLAN, the interface is created in layer two mode, tagged, assigned to a VLAN, and added to a default_l2 security zone.

    Layer 3 VLAN Behavior

    • To create a layer 3 Interface that supports the routed-vlan container, set the interface name as vlan.number where the number after the decimal is the VLAN the interface is assigned to.
    • Interfaces of type l3ipvlan have a routed-vlan container that contains a single VLAN leaf-node used to link the logical layer 3 interface with the VLAN the interface routes to.

    Adding Layer 2 Interfaces to a VLAN

    The example below shows a gNMI call that adds ethernet1/6 to VLANs 15 and 16 and VLAN 17 for untagged ethernet frames.
    gnmic
				set -a 10.1.1.1:9339 -u username -p password --skip-verify --replace-path /interfaces/interface[name=ethernet1/6]/ethernet/switched-vlan
				--replace-file vlan1.json -e JSON_IETF --timeout 300s
    Below is the contents of the JSON file used to add the interface to the VLAN.
    
				{
				"trunk-vlans": [15,16],
				"native-vlan": 17
				}
    The plugin returns the following response after a successful update:
    
				{
				"timestamp": 1618446078899330350,
				"time": "2021-04-14T17:21:18.89933035-07:00",
				"results": [
				{
				"operation": "REPLACE",
				"path": "interfaces/interface[name=ethernet1/7]/ethernet/switched-vlan"
				}
				]
				}
    PAN-OS's OpenConfig behavior automatically adds the interface to the specified VLANs, tags the interfaces, sets the interfaces in Layer2 mode, and adds the interfaces to the default_l2 security zone.
    The image below shows how the interfaces appear in the VLAN tab.
    To add another interface to the same VLANs you can send the same request for another interface. The example below adds ethernet1/7.
    gnmic
				set -a 10.1.1.1:9339 -u username -p password --skip-verify  --debug
				--replace-path /interfaces/interface[name=ethernet1/7]/ethernet/switched-vlan
				--replace-file vlan1.json -e JSON_IETF --timeout 300s 
    
				{
				"trunk-vlans": [15,16],
				"native-vlan": 17
				}
    The image below shows that the ethernet1/7 is added to the same native VLANs and trunk VLANs as ethernet1/6.

    Adding a Routed VLAN Interface

    The gNMI call below shows how you can create a routed VLAN interface and add it to VLAN 17.
    gnmic set -a 10.1.1.1:9339 -u username
				-p password --skip-verify --debug --update /interfaces/interface[name=vlan.17]/routed-vlan/config/vlan:::int:::17
				-e JSON_IETF

    Retrieving VLANs

    Since the VLAN model augments the interface model, each of the VLANs appears when you do a get call to the /interfaces path. The snippet below shows that the only one with a VLAN type is l3ipvlan is the routed VLAN.
    
				{
				"config": {
				"description": "",
				"enabled": true,
				"loopback-mode": false,
				"name": "ethernet1/7",
				"tpid": "openconfig-vlan-types:TPID_0X8100",
				"type": "iana-if-type:ethernetCsmacd"
				},
				"openconfig-if-ethernet:ethernet": {
				"config": {
				"auto-negotiate": true,
				"port-speed": "openconfig-if-ethernet:SPEED_UNKNOWN"
				},
				"openconfig-vlan:switched-vlan": {
				"config": {
				"native-vlan": 17,
				"trunk-vlans": [
				15,
				16
				]
				}
				}
				},
				"openconfig-interfaces:name": "ethernet1/7"
				},
				{
				"config": {
				"description": "",
				"enabled": true,
				"loopback-mode": false,
				"name": "vlan.17",
				"type": "iana-if-type:l3ipvlan"
				},
				"openconfig-interfaces:name": "vlan.17",
				"openconfig-vlan:routed-vlan": {
				"config": {
				"vlan": 17
				},
				"openconfig-if-ip:ipv4": {
				"config": {
				"dhcp-client": false,
				"mtu": 1500
				}
				},
				"openconfig-if-ip:ipv6": {
				"config": {
				"dup-addr-detect-transmits": 0,
				"enabled": false
				},
				"router-advertisement": {
				"config": {
				"interval": 600,
				"lifetime": 1800,
				"suppress": true
				}
				}
				}

    © 2024 Palo Alto Networks, Inc. All rights reserved.