This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Layer 3 Sub-Interface Question

cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Layer 3 Sub-Interface Question

ITSMC24
L1 Bithead

‎01-20-2025 02:25 PM

All,

  I have recently set up a test lab with a PA440. In the lab I have created a WAN and LAN zone from two different physical interfaces.

  In addition, I have created a sub-Interface from the physical ethernet port 1/3. This is what the ethernet port 1/3 looks like:

 

  Ethernet 1/3 (Physical Port)

      - Sub-Interface Eth1/3.25 ~ L3 (IP = 10.10.25.1/24)

      - Sub-Interface Eth1/3.35 ~ L3 (IP = 10.10.35.1/24)

      - Sub-Interface Eth1/3.55 ~ L3 (IP = 10.10.55.1/24)

 

Each Sub_interface has its own zone and mgmt profile with the service to ping. Each interface has a tag of its interface number. 

I have taken a laptop and assigned it to Ip address: {10.10.25.55/24 with gateway 10.10.25.1} and connected directly to Port1/3.

I have another latop on another port that does not have an sub-interface, just the physcial (Eth1/6) port with IP = 12.12.12.124.

 

My issue is that I can ping my gateway (12.12.12.1) on my laptop (12.12.12.12) from a Physcial interface (Eth1/6). From the same laptop I can ping all the IP's gateways from each sub-interface {10.10.25.1, 10.10.35.1, 10.10.55.1} but I cannot reach any device behind those IP's. I have no switch, just testing connection from one laptop to another each, directly connected to its ports. The laptop that is connected to the eth1/3 port cannot ping any none of its own sub-Interface IP's nor the eth1/6 IP address.  

 

 Not sure what I am missing?

0 Likes Likes
1 REPLY 1

OtakarKlier
Cyber Elite
Cyber Elite

‎01-22-2025 01:52 PM

Hello,

Check the unified logs to see if/where the traffic is getting blocked. Since you have the different IP's in different zones, you'll need security policies. I prefer to make my physical interfaces layer 2 and have a layer 3 vlan. This can be tricky for external interfaces however.

 

Regards,

0 Likes Likes
  • 360 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks