topic Re: Routing Issues with Layer 3 Deployment in General Topics

Routing Issues with Layer 3 Deployment

devere — Thu, 10 Mar 2011 21:36:47 GMT

Hello all,

I'm having issues with internet access on different subnets. I have attached a diagram on my network. The Server VLAN has Internet access but the rest somehow are not managing, I'm seeing the traffic in the logs but nothing seems to be working.

I have tried various settings but somehow I'm missing it. Does anyone have any thoughts?

Re: Routing Issues with Layer 3 Deployment

rapoint_person — Fri, 11 Mar 2011 10:55:17 GMT

Are you terminating each VLAN on the Palo Alto box (having the gw address on the Palo) or do you have a link-network between the Palo "internal" interface and the switch.

Re: Routing Issues with Layer 3 Deployment

devere — Fri, 11 Mar 2011 11:03:38 GMT

The Palo Alto is connection on port 36 on the Layer 3 Switch, that port is on the VLAN 100.

Basically all the users have their gateway to the Layer 3 switch. The Layer 3 switch then forward all requests to 192.168.200.254 which is the interface of the Palo Alto.

Only users on the VLAN100 are managing to access the internet which is on the same subnet of the PA

I used to manage on my old firewall through some rules (these were done by some company).

Hope I made myself clear. Cheers

Re: Routing Issues with Layer 3 Deployment

rapoint_person — Fri, 11 Mar 2011 12:03:37 GMT

OK, great. So what do you see in the log-files from the networks that doesn't work? Possible to post an output from the log?

I take it you have checked your routing and it's correct?

A Palo route Example:

Route_internal 192.168.203.0/24 gateway 192.168.200.1 (.1 beeing the Switch)

Re: Routing Issues with Layer 3 Deployment

camkim_MDEA — Fri, 11 Mar 2011 17:44:10 GMT

There could be a couple reasons for this, depending on how your PAN is setup.

(these are not necessarily in any order)

1) Do you have the appropriate user subnets listed in the correct security zones?

2) Are the correct security zones applied to the correct interfaces?

3) Do you have multiple virtual routers or just one?

4) If only one virtual router, you should have the static routes defining each of the user vlans AND have the gateway of those networks point to the L3 switch.

5) NAT rules?

The way I built our PAN config is similiar to our checkpoint configs. We start out with creating network objects of all the networks that we support. Then create logical groups with those networks. Then apply the groups to the right security zones. Use the logical groups for NAT rules as well.

Re: Routing Issues with Layer 3 Deployment

dagibbs — Tue, 15 Mar 2011 22:46:11 GMT

devere wrote:

The Palo Alto is connection on port 36 on the Layer 3 Switch, that port is on the VLAN 100.

Basically all the users have their gateway to the Layer 3 switch. The Layer 3 switch then forward all requests to 192.168.200.254 which is the interface of the Palo Alto.

Only users on the VLAN100 are managing to access the internet which is on the same subnet of the PA

I used to manage on my old firewall through some rules (these were done by some company).

Hope I made myself clear. Cheers

Do you actually have a route in the Palo Alto to get point traffic back into the network via VLAN100?

The PA won't need a route to VLAN100 - because it's a directly connected network, the PA will just "know' how to get to devices in this network. However, if you don;t have a VR setup on the PAN telling it how to get traffic back tot he other VLAN's - for example, route 192.168.201.0/24 via 192.168.200.1.

The configuration should look something like this

virtual-router {
          router-1 {
            interface [ ethernet1/1 ethernet1/2];
            routing-table {
              ip {
                static-route {
                  servers {
                    destination 192.168.200.0/24;
                    interface ethernet1/1;
                    nexthop {
                      ip-address 192.168.200.1;
                    }
                  }
                  level1 {
                    destination 192.168.201.0/24;
                    interface ethernet1/1;
                    nexthop {
                      ip-address 192.168.200.1;
                    }
                  }

From the GUI, you should have something similar to the graphic attached - a route in the PA sending everything for the other subnets tot he "router" (layer 3) IP address for VLAN 100.

Cheers.

Re: Routing Issues with Layer 3 Deployment

devere — Fri, 25 Mar 2011 08:12:39 GMT

after much aggrevation the problem was the layer 3 switch. it developed some fault where it couldn't correctly route to the PA on different VLANS.

On a side note would it be ideal/practical to use the PA as my layer 3 device also?

Re: Routing Issues with Layer 3 Deployment

dagibbs — Sun, 27 Mar 2011 22:03:30 GMT

devere wrote:

after much aggrevation the problem was the layer 3 switch. it developed some fault where it couldn't correctly route to the PA on different VLANS.

On a side note would it be ideal/practical to use the PA as my layer 3 device also?

I wouldn't call it either - the PA is already doing a lot of work - firewall, web filter, virus checking, threat detection and filtering - adding layer 3 for your entire network, while possible, would not be the greatest idea.

Having said that, you *could* do it - I just don't know if it'd be the smartest idea, not knowing which model PA you have.

Cheers.