https://live.paloaltonetworks.com/t5/general-topics/palo-alto-unable-to-route-traffic-into-lacp-trunked-subinterface/m-p/355009#M87504 <P>Hi Reaper,</P><P>since you created aggregates and are using all links for the same vlans, is there a specific reason you went for layer2 vs layer3?</P><P>BTC.pa : Yes, trying to keep the VRF-lite setup simpler and minimize hops vs. the layer 3 point to point.</P><P>&nbsp;</P><P>did you add a management profile to all the vlan interface (l3) zones with ping enabled?</P><P>BTC.pa : yes done.</P><P>&nbsp;</P><P>did you set up 'external' zones with visibility to each vsys, with routing entries to next VR and security policies from/to the 'external' zones ?</P><P>BTC.pa : Yes the external zones are able to pass traffic to one another.</P><P>&nbsp;</P><P>PS : I think I found the root cause of the problem to be route not established in the DMZ switch back.<BR />The global config has the "ip route vrf A 0.0.0.0 0.0.0.0 (AE.1x)"<BR />But this is not reflected in the "sh ip route vrf A"</P><P>Trying to resolve this. IP routing is enabled on the switch. Able to route within VRF.</P> Thu, 08 Oct 2020 03:52:42 GMT BTC.pa 2020-10-08T03:52:42Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-unable-to-route-traffic-into-lacp-trunked-subinterface/m-p/353890#M87371 <P>Hi,</P><P>I have an issue with routing traffic over to a new DMZ SW implementation. Hope someone can crack the nut.</P><P>Issue : Palo Alto unable to route traffic into LACP trunked sub-interface vlans in VRFs</P><P>1. Each switch VRF is a Zone on the PA.</P><P>2. All routes defined in respective VRs.</P><P>3. All VRFs default route is the respective vlan IP tagged at the subinterface of AE at firewall.</P><P>4. All objects created are shared between Vsys.</P><P>5. reason for vsys splitting is for easier visibility of rule-list based on zones functions.</P><P>&nbsp;</P><P>What the set up is <U><STRONG>able</STRONG> </U>to do now.</P><P>1. all vlans in AE.2 is able to ping the firewall and DMZ switch and vice versa</P><P>2. a client behind INT Firewall is able to ping/tracert all AE1.x and&nbsp; AE2.x interfaces</P><P>3. traffic is able to pass from vys1-2 and back</P><P>4. traffic withing VRFs are able to reach each other.</P><P>&nbsp;</P><P>What the set up is <EM><STRONG><U>unable</U> </STRONG></EM>to do now.</P><P>1. all vlans in AE.1 is unable to ping the firewall and DMZ switch and vice versa</P><P>2. a client behind INT Firewall is able to ping all vlan gateways on the DMZ switch</P><P>3. traffic from vlans from DMZ switch do not reach the firewall.</P><P>&nbsp;</P> Mon, 12 Oct 2020 08:25:14 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-unable-to-route-traffic-into-lacp-trunked-subinterface/m-p/353890#M87371 BTC.pa 2020-10-12T08:25:14Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-unable-to-route-traffic-into-lacp-trunked-subinterface/m-p/353920#M87376 <P>since you created aggregates and are using all links for the same vlans, is there a specific reason you wentfor layer2 vs layer3?</P><P>&nbsp;</P><P>&nbsp;</P><P>did you add a management profile to all the vlan interface (l3) zones with ping enabled?</P><P>&nbsp;</P><P>did you set up 'external' zones with visibility to each vsys, with routing entries to next VR and security policies from/to the 'external' zones ?</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 05 Oct 2020 11:23:41 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-unable-to-route-traffic-into-lacp-trunked-subinterface/m-p/353920#M87376 reaper 2020-10-05T11:23:41Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-unable-to-route-traffic-into-lacp-trunked-subinterface/m-p/355009#M87504 <P>Hi Reaper,</P><P>since you created aggregates and are using all links for the same vlans, is there a specific reason you went for layer2 vs layer3?</P><P>BTC.pa : Yes, trying to keep the VRF-lite setup simpler and minimize hops vs. the layer 3 point to point.</P><P>&nbsp;</P><P>did you add a management profile to all the vlan interface (l3) zones with ping enabled?</P><P>BTC.pa : yes done.</P><P>&nbsp;</P><P>did you set up 'external' zones with visibility to each vsys, with routing entries to next VR and security policies from/to the 'external' zones ?</P><P>BTC.pa : Yes the external zones are able to pass traffic to one another.</P><P>&nbsp;</P><P>PS : I think I found the root cause of the problem to be route not established in the DMZ switch back.<BR />The global config has the "ip route vrf A 0.0.0.0 0.0.0.0 (AE.1x)"<BR />But this is not reflected in the "sh ip route vrf A"</P><P>Trying to resolve this. IP routing is enabled on the switch. Able to route within VRF.</P> Thu, 08 Oct 2020 03:52:42 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-unable-to-route-traffic-into-lacp-trunked-subinterface/m-p/355009#M87504 BTC.pa 2020-10-08T03:52:42Z