10-13-2016 06:42 AM
Hello everyone,
one of my customer has the following specific requirement.
PA500 version 7.1.0
Inside Interface IP: 10.0.1.1/24
Firewall should act as DHCP Server and assign IP Addresses in the following Scopes only via inside interface.
Scope: LAN Devices
Range: 10.0.1.50-10.0.1.100 /24
Gateway: 10.0.1.254
Scope: WAN Devices
Range: 10.0.25.50-10.0.25.100/24
Gateway: 10.0.25.254
Scope: Voice Devices
Range: 10.0.30.50-10.0.30.100/24
Gateway: 10.0.30.254
So the questions are following:
1. Is such a configuration at all possible? The inside interface IP Subnet is different from WAN and Voice Scope.
2. The inside interface on PA is connected to a trunk on a switch and all the traffic to PA is untagged. How can PA differentiate whether the incoming DHCP request is from LAN device, WLAN device or a Voice device?
Thanks and Regards,
R
10-13-2016 07:20 AM
I believe that the only way to do this properly would be to setup LAN,WAN, and VOICE interfaces on your PA500 and then setup the DHCP for the interface, I believe that you can only have one DHCP scope on any particular interface.
PS. If they are running on 7.1.0 I would upgrade them to 7.1.5 and get the latest code; they have made a lot of bug fixes since 7.1.0.
10-13-2016 07:21 AM - edited 10-13-2016 07:23 AM
Or you could create a subinterfaces and have a DHCP server configured there for each network
10-13-2016 11:13 AM
Yeah subinterfaces was my initial thought, but they want that the inside interface has only one IP. For each subinterface I would need one IP from respective subnet each which is not possible 😞
10-14-2016 12:19 PM
How would the DHCP server possibly know which type of device was making the request in order to hand out the correct IP address?
Some DHCP servers have filters where you can use MAC address prefixes to do such things, but as far as I know, the Palo Alto DHCP server doesn't offer this.
10-17-2016 12:12 AM
You said: "The inside interface on PA is connected to a trunk on a switch and all the traffic to PA is untagged"
But trunk always has tagged traffic. Otherwise trunk can't work.
So DHCP requests should arrive with correct VLAN tag and you can use subinterfaces. Actually you must use subinterfaces in this scenario otherwise only untagged (or vlan 1) traffic will be receieved by PA.
10-21-2016 12:40 AM
This was exactly my argument with the customer. However his typical response is - "Other Firewall manufacturers are able to do that easily why not Palo Alto". 😞
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
