L3 Subinterface Traffic's Not Passing

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L0 Member

L3 Subinterface Traffic's Not Passing

Hi Team,

 

Seeking for you advise, or your input that one my recent setup. 

 

I have made the Palo L3 subinterface for three VLAN's and the firewall port have been connected with Cisco L2 switch and the port of cisco has configured with trunk. 

 

After made the above, i can see the switch in the firewall connected interface, the VLAN details are appered in the mac table.

 

However there were no packet are being forward or reaching.

 

further to check at firewall end, still i do not see any of the mac deatils of those respected VLAN's connected servers, also take a server in same VLAN and tried to reach the VLAN gateway still not success.

 

I still not have clue, what could be here wrong, and what should be a advisable to fix the same. 

 

Thanks 

Karthikeyan 


Accepted Solutions
Highlighted
L6 Presenter

@Karthikeyan.M8,

 

I would recommend you to check below points -

 

1. Check VLAN Tagging defined on the firewall sub-interface. VLAN Tag should match on the firewall and switch side. Also if on switch side, its plain trunk then thats ok but if you are having specific vlan flowed then check if desired vlan are flowed/passed through the trunk.

 

2. Make sure proper access VLAN is mapped to the server which you are trying to take into network. Also see if that vlan is flowed till the switch where your server is connected. L2 VLAN should be available on the switches where you need connectivity for that VLAN segment.

 

3. Are you trying to check reachability  by giving static IP to the server? If it is on DHCP, check if proper IP, Mask and default gateway is getting configured on the server through DHCP. In case of static IP configuration also, verify these details.

 

4. How the IP is configured on the firewall L3 sub-interface? e.g. one of the VLAN is having segment 192.168.10.0/24, make sure IP on the sub-interface is configured with proper subnet mask. e.g. here, it should be /24 not /32 . With /32, firewall will not add route for complete network (for /24) under routing table. And again, check VLAN TAG.

 

If you're good with all above points, then you should see arp for server IP under firewall arp table.



Mayur

View solution in original post


All Replies
Highlighted
L6 Presenter

@Karthikeyan.M8,

 

I would recommend you to check below points -

 

1. Check VLAN Tagging defined on the firewall sub-interface. VLAN Tag should match on the firewall and switch side. Also if on switch side, its plain trunk then thats ok but if you are having specific vlan flowed then check if desired vlan are flowed/passed through the trunk.

 

2. Make sure proper access VLAN is mapped to the server which you are trying to take into network. Also see if that vlan is flowed till the switch where your server is connected. L2 VLAN should be available on the switches where you need connectivity for that VLAN segment.

 

3. Are you trying to check reachability  by giving static IP to the server? If it is on DHCP, check if proper IP, Mask and default gateway is getting configured on the server through DHCP. In case of static IP configuration also, verify these details.

 

4. How the IP is configured on the firewall L3 sub-interface? e.g. one of the VLAN is having segment 192.168.10.0/24, make sure IP on the sub-interface is configured with proper subnet mask. e.g. here, it should be /24 not /32 . With /32, firewall will not add route for complete network (for /24) under routing table. And again, check VLAN TAG.

 

If you're good with all above points, then you should see arp for server IP under firewall arp table.



Mayur

View solution in original post

Highlighted
L0 Member

@SutareMayur 

 

Thanks for your quickest advise and solution. I have validated your comments, and i see in the firewall L3 interface got configured as /32. After the changes to /24, could see the ARP as well as able to reach the network. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!