https://live.paloaltonetworks.com/t5/general-topics/different-dhcp-subnets-on-same-interface/m-p/119482#M45799 <P>You said: "<SPAN>The inside interface on PA is connected to a trunk on a switch and all the traffic to PA is untagged</SPAN>"</P><P>But trunk always has tagged traffic. Otherwise trunk can't work.</P><P>&nbsp;</P><P>So DHCP requests should arrive with correct VLAN tag and you can use subinterfaces. Actually you must use subinterfaces in this scenario otherwise only untagged (or vlan 1) traffic will be receieved by PA.</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 17 Oct 2016 07:12:07 GMT santonic 2016-10-17T07:12:07Z https://live.paloaltonetworks.com/t5/general-topics/different-dhcp-subnets-on-same-interface/m-p/119081#M45739 <P>Hello everyone,</P><P>&nbsp;</P><P>one of my customer has the following specific requirement.</P><P>&nbsp;</P><P>PA500 version 7.1.0</P><P>Inside Interface IP: 10.0.1.1/24</P><P>&nbsp;</P><P>Firewall should act as DHCP Server and assign IP Addresses in the following Scopes only via inside interface.</P><P>&nbsp;</P><P>Scope: LAN Devices</P><P>Range: 10.0.1.50-10.0.1.100 /24</P><P>Gateway: 10.0.1.254</P><P>&nbsp;</P><P>Scope: WAN Devices</P><P>Range: 10.0.25.50-10.0.25.100/24</P><P>Gateway: 10.0.25.254</P><P>&nbsp;</P><P>Scope: Voice&nbsp;Devices</P><P>Range: 10.0.30.50-10.0.30.100/24</P><P>Gateway: 10.0.30.254</P><P>&nbsp;</P><P>So the questions are following:</P><P>&nbsp;</P><P>1. &nbsp;Is such a configuration at all possible? The inside interface IP Subnet is different from WAN and Voice Scope.</P><P>&nbsp;</P><P>2. The inside interface on PA is connected to a trunk on a switch and all the traffic to PA is untagged. How can PA differentiate whether the incoming DHCP request is from LAN device, WLAN device or a Voice device?</P><P>&nbsp;</P><P>Thanks and Regards,</P><P>R</P> Thu, 13 Oct 2016 13:42:16 GMT https://live.paloaltonetworks.com/t5/general-topics/different-dhcp-subnets-on-same-interface/m-p/119081#M45739 rjdahav163 2016-10-13T13:42:16Z https://live.paloaltonetworks.com/t5/general-topics/different-dhcp-subnets-on-same-interface/m-p/119083#M45741 <P>I believe that the only way to do this properly would be to setup LAN,WAN, and VOICE interfaces on your PA500 and then setup the DHCP for the interface, I believe that you can only have one DHCP scope on any particular interface.&nbsp;</P><P>&nbsp;</P><P>PS. If they are running on 7.1.0 I would upgrade them to 7.1.5 and get the latest code; they have made a lot of bug fixes since 7.1.0.&nbsp;</P> Thu, 13 Oct 2016 14:20:14 GMT https://live.paloaltonetworks.com/t5/general-topics/different-dhcp-subnets-on-same-interface/m-p/119083#M45741 BPry 2016-10-13T14:20:14Z https://live.paloaltonetworks.com/t5/general-topics/different-dhcp-subnets-on-same-interface/m-p/119084#M45742 <P>Or you could&nbsp;create a subinterfaces and have a DHCP server configured there for each&nbsp;network</P> Thu, 13 Oct 2016 14:23:20 GMT https://live.paloaltonetworks.com/t5/general-topics/different-dhcp-subnets-on-same-interface/m-p/119084#M45742 TranceforLife 2016-10-13T14:23:20Z https://live.paloaltonetworks.com/t5/general-topics/different-dhcp-subnets-on-same-interface/m-p/119102#M45753 <P>Yeah subinterfaces was my initial thought, but they want that the inside interface has only one IP. For each subinterface I would need one IP from respective subnet each which is not possible <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><P>&nbsp;</P> Thu, 13 Oct 2016 18:13:49 GMT https://live.paloaltonetworks.com/t5/general-topics/different-dhcp-subnets-on-same-interface/m-p/119102#M45753 rjdahav163 2016-10-13T18:13:49Z https://live.paloaltonetworks.com/t5/general-topics/different-dhcp-subnets-on-same-interface/m-p/119160#M45785 <P>How would the DHCP server possibly know which type of device was making the request in order to hand out the correct IP address?</P><P>&nbsp;</P><P>Some DHCP servers have filters where you can use MAC address prefixes to do such things, but as far as I know, the Palo Alto DHCP server doesn't offer this.</P> Fri, 14 Oct 2016 19:19:37 GMT https://live.paloaltonetworks.com/t5/general-topics/different-dhcp-subnets-on-same-interface/m-p/119160#M45785 Ken_Cornetet 2016-10-14T19:19:37Z https://live.paloaltonetworks.com/t5/general-topics/different-dhcp-subnets-on-same-interface/m-p/119482#M45799 <P>You said: "<SPAN>The inside interface on PA is connected to a trunk on a switch and all the traffic to PA is untagged</SPAN>"</P><P>But trunk always has tagged traffic. Otherwise trunk can't work.</P><P>&nbsp;</P><P>So DHCP requests should arrive with correct VLAN tag and you can use subinterfaces. Actually you must use subinterfaces in this scenario otherwise only untagged (or vlan 1) traffic will be receieved by PA.</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 17 Oct 2016 07:12:07 GMT https://live.paloaltonetworks.com/t5/general-topics/different-dhcp-subnets-on-same-interface/m-p/119482#M45799 santonic 2016-10-17T07:12:07Z https://live.paloaltonetworks.com/t5/general-topics/different-dhcp-subnets-on-same-interface/m-p/120387#M45905 <P>This was exactly my argument with the customer. However his typical response is - "Other Firewall manufacturers are able to do that easily why not Palo Alto". <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Fri, 21 Oct 2016 07:40:47 GMT https://live.paloaltonetworks.com/t5/general-topics/different-dhcp-subnets-on-same-interface/m-p/120387#M45905 rjdahav163 2016-10-21T07:40:47Z