- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-11-2020 11:40 PM
Hi Team,
Seeking for you advise, or your input that one my recent setup.
I have made the Palo L3 subinterface for three VLAN's and the firewall port have been connected with Cisco L2 switch and the port of cisco has configured with trunk.
After made the above, i can see the switch in the firewall connected interface, the VLAN details are appered in the mac table.
However there were no packet are being forward or reaching.
further to check at firewall end, still i do not see any of the mac deatils of those respected VLAN's connected servers, also take a server in same VLAN and tried to reach the VLAN gateway still not success.
I still not have clue, what could be here wrong, and what should be a advisable to fix the same.
Thanks
Karthikeyan
10-12-2020 12:42 AM
I would recommend you to check below points -
1. Check VLAN Tagging defined on the firewall sub-interface. VLAN Tag should match on the firewall and switch side. Also if on switch side, its plain trunk then thats ok but if you are having specific vlan flowed then check if desired vlan are flowed/passed through the trunk.
2. Make sure proper access VLAN is mapped to the server which you are trying to take into network. Also see if that vlan is flowed till the switch where your server is connected. L2 VLAN should be available on the switches where you need connectivity for that VLAN segment.
3. Are you trying to check reachability by giving static IP to the server? If it is on DHCP, check if proper IP, Mask and default gateway is getting configured on the server through DHCP. In case of static IP configuration also, verify these details.
4. How the IP is configured on the firewall L3 sub-interface? e.g. one of the VLAN is having segment 192.168.10.0/24, make sure IP on the sub-interface is configured with proper subnet mask. e.g. here, it should be /24 not /32 . With /32, firewall will not add route for complete network (for /24) under routing table. And again, check VLAN TAG.
If you're good with all above points, then you should see arp for server IP under firewall arp table.
10-12-2020 12:42 AM
I would recommend you to check below points -
1. Check VLAN Tagging defined on the firewall sub-interface. VLAN Tag should match on the firewall and switch side. Also if on switch side, its plain trunk then thats ok but if you are having specific vlan flowed then check if desired vlan are flowed/passed through the trunk.
2. Make sure proper access VLAN is mapped to the server which you are trying to take into network. Also see if that vlan is flowed till the switch where your server is connected. L2 VLAN should be available on the switches where you need connectivity for that VLAN segment.
3. Are you trying to check reachability by giving static IP to the server? If it is on DHCP, check if proper IP, Mask and default gateway is getting configured on the server through DHCP. In case of static IP configuration also, verify these details.
4. How the IP is configured on the firewall L3 sub-interface? e.g. one of the VLAN is having segment 192.168.10.0/24, make sure IP on the sub-interface is configured with proper subnet mask. e.g. here, it should be /24 not /32 . With /32, firewall will not add route for complete network (for /24) under routing table. And again, check VLAN TAG.
If you're good with all above points, then you should see arp for server IP under firewall arp table.
10-13-2020 06:41 AM
Thanks for your quickest advise and solution. I have validated your comments, and i see in the firewall L3 interface got configured as /32. After the changes to /24, could see the ARP as well as able to reach the network.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!