- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-01-2017 08:55 AM
I hope I'm in the correct forum and someone can help me. I suspect this is an easier problem than I'm making it out to be but here's the issue.
We used to have two physically segregated networks. Let's call them Network A and Network B. Each have statically assigned Public IPs, dedicated gateways, etc. I recently moved both A and B to our new Palo Alto and segregated them via Production and Guest Zones so their interfaces pass Internet traffic only on the Network segment to which they are assigned. For example: A -- Eth1/2 Private NAT to Eth1/1 Public WAN and B -- Eth1/9 Private NAT to Eth1/13 WAN Public. It's a pretty simple and straight-forward config and there are no rules in place that allow the interfaces of network A and B to talk to one another. Both networks are within a block of assigned IPs from our ISP with the following mask bits.
Network A = x.x.x.18/28 (x.x.x.17 through x.x.x.30) Eth1/1
Network B = x.x.x.91/29 (x.x.x.89 through x.x.x.94) Eth1/13
As you can see, there is no way either of these networks can cross paths. However, I'm getting numerous IP conflicts on Eth1/1 that every Pulically assigned IP within my /29 network is conflicting with an IP from destination Eth1/13.
log:
Received conflicting ARP on Interface ethernet1/1 indicating duplicate IP x.x.x.21, sender mac 00:1b:..... (eth1/13 mac)
and it repeats for every used IP from x.x.x.19 through 30 from the "A" network.
I know I've got something whacked up in my configs somewhere but I can't seem to locate this animal. NAT rule looks right. I come from a Sonicwall background so I'm pretty new to PA so I'm thinking I missed something somewhere. Any input would be helpful.
08-01-2017 09:09 AM
There are two issues going on right now:
* Layer 2 Issue
* Layer 3 Issue
Your design should be fine. The networks do not overlap or coflict with each other. I'm going to throw out a ficticious subnet to talk through the issue further
= = = = = = = = = = = = = = = = = =
Eth1/1 IP: 10.0.0.18/28
Mask: /28 = 255.255.255.240
Subnet IP: 10.00.0.16
Broadcast IP: 10.0.0.31
= = = = = = = = = = = = = = = = = =
Eth1/13 IP: 10.0.0.91/29
Mask: /28 = 255.255.255.248
Subnet IP: 10.00.0.88
Broadcast IP: 10.0.0.95
= = = = = = = = = = = = = = = = = =
Layer3 Issue:
These two IP ranges do not overlap as one goes from .16 to .31 and the next from .88 to .95. They cannot have an overlap of IP address. This is the Layer3 issue. I suspect your subnet mask is wrong one or both of the interfaces. That is the only way they can have an overlapping range of addresses (if you have the proper IP on each interface). The other possibility is that you don't have .91 on eth1/13 and it has an incorrect IP in the original range.
Layer2 Issue:
I suspect you have both interfaces Eth1/1 and Eth1/13 connected to the same switch. If you do, they should be in two different VLANs (Virutal LANs). If your switch does not have a management address (unmanaged) you won't be able to setup multiple VLANs and are "multi-netting" the setup (running two mis-matching networks on the same vlan). This "could" work but is not a good idea or best practice from any switching vendor. Separating the networks into their own VLAN or connecting the interfaces to separate swithes if VLANning is not possible will keep the interfaces from talking to each other. Traffic from Eth1/1 should never be able to communicate to Eth1/13 directly as they should be on separate networks.
08-01-2017 09:09 AM
There are two issues going on right now:
* Layer 2 Issue
* Layer 3 Issue
Your design should be fine. The networks do not overlap or coflict with each other. I'm going to throw out a ficticious subnet to talk through the issue further
= = = = = = = = = = = = = = = = = =
Eth1/1 IP: 10.0.0.18/28
Mask: /28 = 255.255.255.240
Subnet IP: 10.00.0.16
Broadcast IP: 10.0.0.31
= = = = = = = = = = = = = = = = = =
Eth1/13 IP: 10.0.0.91/29
Mask: /28 = 255.255.255.248
Subnet IP: 10.00.0.88
Broadcast IP: 10.0.0.95
= = = = = = = = = = = = = = = = = =
Layer3 Issue:
These two IP ranges do not overlap as one goes from .16 to .31 and the next from .88 to .95. They cannot have an overlap of IP address. This is the Layer3 issue. I suspect your subnet mask is wrong one or both of the interfaces. That is the only way they can have an overlapping range of addresses (if you have the proper IP on each interface). The other possibility is that you don't have .91 on eth1/13 and it has an incorrect IP in the original range.
Layer2 Issue:
I suspect you have both interfaces Eth1/1 and Eth1/13 connected to the same switch. If you do, they should be in two different VLANs (Virutal LANs). If your switch does not have a management address (unmanaged) you won't be able to setup multiple VLANs and are "multi-netting" the setup (running two mis-matching networks on the same vlan). This "could" work but is not a good idea or best practice from any switching vendor. Separating the networks into their own VLAN or connecting the interfaces to separate swithes if VLANning is not possible will keep the interfaces from talking to each other. Traffic from Eth1/1 should never be able to communicate to Eth1/13 directly as they should be on separate networks.
08-02-2017 06:38 AM
Thank you for the quick reply d.anderson.
I've re-confirmed its not a layer 3 issue. IPs are good, masks are good as well as GW. For now, I want to put a checkmark on that to-do.
Layer 2 solution makes the most sense for my particular setup. You are correct that both 1/13 and 1/1 WAN ports go back to a switch in our rack. However this switch is property of and managed by our ISP so I have no access to it. It serves as our DMARC and serves out three different Networks. The two I speak of (A and B) are the only two "close" in range so a misconfig of mask bits would easily cause an overlap although it's not on my end. Additionally, we have a Network C from the ISP Switch too but it's a completely different network, subnet, set as DHCP, and causes no issue in the PA so this all makes sense. Expanding on your example of the ficticious networks, Network C would be like this, respectively:
= = = = = = = = = = = = = = = = = =
Eth1/1 IP: 10.10.10.18/28
Mask: /28 = 255.255.255.240
Subnet IP: 10.10.10.16
Broadcast IP: 101.10.10.31
= = = = = = = = = = = = = = = = = =
At this point, I'll contact my ISP for a resolution and let you know the final result. Thank you so much for taking the time to help me. I'll mark your post as the resolution once I've confirmed.
08-31-2017 06:44 AM
Thank you for your help!
My ISP was a bit slow on their response but it was in fact on their end and on their switch as d.anderson suggested.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!