topic Re: Layer 3 switch behind Layer 3 PA-3020 interface in General Topics

Layer 3 switch behind Layer 3 PA-3020 interface

GCA — Wed, 03 Jun 2015 16:58:15 GMT

So I'm new to my PA-3020 and trying to get beyond my basic config has introduced a new problem for me.

I have a Layer 3 Cisco connected to my PA eth 1/2 via a routed interface on the switch. My traffic is all working fine now, but I want to make some changes.

All my vlans have IP addresses on my switch, and they route via the switch routing table to the LAN or on the PA. I want to have some of those vlans isolated from the LAN, so they can't route via the switch. I think I need to set up subinterfaces on my PA, but it has not been working.

I created a test vlan on my switch (100). No ip address, so it does not have a route in the switch. I set the vlan ip helper-address as the IP of the PA subinterface, so it should forward DHCP requests on that vlan to the subinterface IP on the PA. I created eth1/2.100 on my PA, gave it a dhcp relay for my dhcp servers on the LAN, made sure there is a route from the PA to the servers vlan on the LAN, created a Test Zone and Security Policy to allow DHCP between Test and Trust zones. I can ping through these zones and networks, but my DHCP requests are not making it out of my switch to the PA.

How should I accomplish what I want to do?

Thank you!

Steve

Re: Layer 3 switch behind Layer 3 PA-3020 interface

Raido_Rattameister — Thu, 04 Jun 2015 09:22:05 GMT

I would start with Monitor > Packet Capture to see if PA receives those DHCP requests from switch and offers from server.

Re: Layer 3 switch behind Layer 3 PA-3020 interface

pulukas — Sat, 06 Jun 2015 13:03:37 GMT

The subinterfaces on the PA will be 802.1Q tagged vlans to your switch. So you need to create the matching vlan tag on that trunk port for your Cisco and assign this same tag to your access port vlan on the switch.

Have a look at Case 1 on page 3 and following in this document.

Securing Inter VLAN Traffic

Re: Layer 3 switch behind Layer 3 PA-3020 interface

GCA — Mon, 08 Jun 2015 14:26:49 GMT

The problem was that my Cisco port was routed, not a switch trunk port. All vlan tags were being dropped in the routing.

Re: Layer 3 switch behind Layer 3 PA-3020 interface

pulukas — Mon, 08 Jun 2015 22:39:14 GMT

In order to use the sub interfaces you will need to configure the attached Cisco port into trunk mode.