802.1q trunking - how to troubleshoot?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

802.1q trunking - how to troubleshoot?

L1 Bithead

Is there a PA equivalent to a cisco command, "show interface trunk"?  We have .1q trunks set up and working - I'm looking for information on troubleshooting them, when there's a problem.

1 accepted solution

Accepted Solutions

Hi @brannentaylor

 

What information are you actually wanting to obtain? The only real useful information on your snippet is what VLANs are tagged on each port. Since the PA is not a switch we do not do this, we only specify one 802.1Q tag value per subinterface.

 

The equivelant command would be:

> show interface logical

 

Which would show you the tag. Otherwise, if you could be specific about any troubleshooting you'd like to do, we can help you there. For example, looking at the global counters for a specific traffic flow is always a good place to start.

 

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-check-global-counters-for-a-specific...

 

Thanks,

Luke.

View solution in original post

5 REPLIES 5

L5 Sessionator

It depends on what kind of information you're trying to get. You can use the 'show interface ethernetx/y.z', which provides info on zone membership, vlan tag and counters.

If you want to see configuration of the subinterface, from the set-based CLI, you can run 'show network interface ethernet ethernetx/y layer3 units ethernetx/y.z

I'm looking for something like this (off a Cisco switch):

show interface trunk

 

Port Mode Encapsulation Status Native vlan
Gi1/0/27 on 802.1q trunking 40

Port Vlans allowed on trunk
Gi1/0/27 5,15,40,176

Port Vlans allowed and active in management domain
Gi1/0/27 5,15,40,176

Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/27 5,15,40,176

 

The commands you suggested seem to provide layer 1 & 2 interface information - counters, errors, etc.

Hi @brannentaylor

 

What information are you actually wanting to obtain? The only real useful information on your snippet is what VLANs are tagged on each port. Since the PA is not a switch we do not do this, we only specify one 802.1Q tag value per subinterface.

 

The equivelant command would be:

> show interface logical

 

Which would show you the tag. Otherwise, if you could be specific about any troubleshooting you'd like to do, we can help you there. For example, looking at the global counters for a specific traffic flow is always a good place to start.

 

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-check-global-counters-for-a-specific...

 

Thanks,

Luke.

We have a sort of complicated topology - our PA's are in the middle doing core routing.  On the north side, out the AE2, we have 3 vlans - one is transit/internal/trusted, one is outside untrusted to the internet edge router, and another is guest to a guest router.

 

On the inside, we have ten gig int's bringing in about 10 vlans, so that there are vlan sub interfaceson the PA - so that all vlans/subnets in our site go through the PA - north/south, and east/west.

We had a power situation (long story) - where we had multiple failures.  As we were troubleshooting multiple systems, we were troubleshooting from layers 1 up to 3 - so we're using lldp confirming links, replacing cables, moving to other interfaces, looking at mac tables, arp tables, checking vlan membership, etc.  Pretty intensive layer 1-3 troubleshooting.

 

So, my question goes to - if I want to look at the Palo's and confirm vlans are coming in/out as expected, trunks are up as expected, etc. .... like I can on Cisco ... how to do that on PA.  Everything I could find through googling was how to configure.  Not how to troubleshoot.

 

Thanks.

As Luke said, the PA isn't acting as a switch so you won't be having the same information regarding vlans allowed or pruned. You'll need to look at that from the other side, from the switches connected to the PA. 

For example, if you were to replace the PA with a Cisco router, you wouldn't have the 'sh int trunk' either. You would just have to look through each sub-interface for the info that's available. 

You can view arp information by interface with 'sh arp ethernetx/y.z'.  

If you really want to get into how traffic is ingressing and egressing, you could also run packet captures on each subinterface to determine what's happening.

  • 1 accepted solution
  • 6133 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!