Traffic showing from wrong zone

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Traffic showing from wrong zone

L2 Linker

Hello all, I have a (hopefully) simple problem I can't seem to figure out.

I have recently created a new DMZ zone on my PA for guest users, but when a guest tries to access the internet, the traffic is showing as sourcing from the trust zone instead of the DMZ zone. A trace from the guest user makes it to the PA, then dies. I have the policy from DMZ to untrust configured, but it never hits it, it's always using the trust to untrust policy.

 

I have a feeling I am missing something easy...

 

Any help will be much appreciated!

1 accepted solution

Accepted Solutions

Once the traffic hits that L3 boundary and routes with the default, it will lose the vlan tagging info so it won't get to the correct subinterface on the PA.

I think the easiest solution to this is to move the gateway for the guest vlan off the router and onto the PA. The PA can provide DHCP so the guest network would be self-contained, with the PA controlling all access.

Another option that might work is to move the guest vlan to a separate vrf on the router and control the next hop through the separate routing table. 

 

View solution in original post

10 REPLIES 10

L5 Sessionator

Is the subnet with the guest traffic assigned to an interface on the PA? Is that interface set with the guest zone?

In the traffic log, what rule is it hitting?

Thanks for the quick reply rmfalconer!

 

Yes, the subinterface on the PA has a 172.16.0.251/21 assigned to it. The subinterface is assigned to the DMZ zone.

Mot sure if this matters, but the actual interface itself the subinterfaces belong to is assigned to the trust zone.

 

In the traffic log, it's hitting a trust zone to untrust zone policy, it shows it's sourcing from the subinterface assigned to the trust zone rather than the DMZ to untrust policy.

Is the switchport connected to the PA a dot1q tagging interface?

Do you have the tag definition set correctly on the PA subinterface?

what is the ip/mask of the actual interface

The actual interface doesnt have an IP address assigned, the subinterface for the guest users has an IP of 172.16.0.251/21.

Yep, the switchport is configured and tagged correctly, and the tagging is set on the PA as well.

 

From a guest laptop, my trace hits the gateway (172.16.0.250) IP assigned to my gateway router, then the next hop is the 10.x.x.x trust IP on the PA.

From the PA, I can ping my guest laptop sourcing from the DMZ subinterface.

Just trying to get a picture for the traffic flow. 

How is the routing set on your gateway? Is there a default that points to the trust interface of the PA?

Is 172.16.0.250 a subinterface on the gateway router or a separate physical interface? Does this interface connect to the same switch where the PA connects?

 

Would the flow look something like this:

Client--[guest vlan]-->Switch1--[dot1q]-->Gateway--[dot1q]-->Switch1--[dot1q]-->PA

 

 

You are right, I have a layer 3 Brocade switch as my gateway router, it's default route is pointing to the trust subinterface on the PA.

The 172.16.0.250 is the IP of the VE on the gateway router.

 

Your flow looks correct, so the guest laptop on vlan 172, hits the ve172 on the gateway router, then takes the default route to the PA.

Once the traffic hits that L3 boundary and routes with the default, it will lose the vlan tagging info so it won't get to the correct subinterface on the PA.

I think the easiest solution to this is to move the gateway for the guest vlan off the router and onto the PA. The PA can provide DHCP so the guest network would be self-contained, with the PA controlling all access.

Another option that might work is to move the guest vlan to a separate vrf on the router and control the next hop through the separate routing table. 

 

Thanks for the info rmfalconer! I moved the gateway up to the PA and all is working well now.

  • 1 accepted solution
  • 8221 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!