Hello to everyone,
recently I installed new VM100 on ESXi 5.0 infrastructure, but during initial configuration I noticed that L3 subinterfaces cannot forward any traffic, even I configured virtual router and policy with permit all-any statement between two sub's (zones). On VMware side on distributed switch I created trunk portgroup with 2 vlan's, and map third interface on VM profile (ethernet 1/2 on VM100) to that port group. On VM100 I split eth1/2 like L3 on two subinterfaces and bound them IP addresses, vlan tags and Vrouter. MAC address for both subinterfaces is the same and inherited from parent physical Eth1/2 and that is visible on both vlan's (mac tables on external cisco switches). Explicit policy was applied to forward any traffic between this two subinterfaces but nothing are forwarded. From CLI, only I can see that passing between two subinterfaces is ping (#ping source (IP of one subint) host (IP of second subint), but that is inside routing engine.
If anyone have similar experience, please advise before I open support case.....
Solved! Go to Solution.
ie: you need to enable "promiscuous mode" on the portgroup/v-switch where firewall dataplane interfaces are connected. VMware has this disabled by default.
I already done this (promiscuous mode>accept), but even I do that, interfaces can't forward until I override MAC adresses in VM profile....
Get a list of all of the interfaces & MAC addresses from PAN-OS by the cli command "show interfaces all". Then shutdown the VM-Series firewall "request shutdown system". Finally, edit the virtual machine guest and take the MAC addresses that were listed in PAN-OS and hard code those into the virtual machine. Instead of "Automatic" change it to "Manual" and use the PAN-OS provided MAC address.
Keep in mind that "Network adapter 1" is the management interface. So "Network adapter 2" should map to PAN-OS Ethernet1/1, and go from there.
There is something I did not understand here.
when I look from esx ı see ethernet's Mac is automatic that is ok.And there are mac's inside the box.
when I turn on Vm and from cli show interface all
I see different mac addresses which starts with 00:1b:17:xx:xx:xx
is there a way to change this mac ?
I also tried manual but nothing change always same mac comes.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!