10-19-2022 09:12 AM
I am trying to get Palo Alto VM series (10.2.3) to work with layer 3 sub interfaces on Hyper-V (2022).
I configured interface/subinterface from the documentation (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRkCAK)
I also tried it with removing the ip.adr 192.168.4.252/24
I also tried setting the vSwitch to trunk mode on the Hyper-V host with
Set-VMNetworkAdaptervlan -VMName PA -VMNetworkAdapterName "PA-LAN-Switch" -Trunk -AllowedVlanIdList "1-7" -NativeVlanId 0
I can ping between vms on the vlan 7 ... but I cannot ping the PA IP (192.168.7.252)
If I remove the subinterface and the vlan tagging in the Hyper-V Host I can ping 192.168.4.252.
Any help would be appreciated,
10-19-2022 01:49 PM
Here is how I have set this up in the past. However I make my physical interfaces layer2, trunk the vlans, and then make layer3 vlan interfaces on the PAN. This I feel allows for more control and forces all traffic to pass through the PAN.
Then on the Hyper-V side make sure you tag the vlans appropriately. When you create a VM, make sure you use static MAC's and also have the VM tag the network packets. The interfaces are not pingable by default. You need to configure a management profile that allows pings, then attach it to the interface. You will also need security policies to allow the ping.
Hope this helps.
10-20-2022 03:49 AM - edited 10-20-2022 03:50 AM
Thank you for your advice.
I tried Layer 2 with
and still no luck.
Set-VMNetworkAdapterVlan -VMName web01 -VMNetworkAdapterName web01-LAN-Switch -Access -VlanId 7
tried static MACs ... and even
sudo ip link add link eth2 name eth2.7 type vlan id 7
I created a ping managment profile and added a any/any for icmp/ping policy.
For some reason I can ping from the hvper-v host (when added to the vlan 7) the web01 but not the Palo Alto Interface.
10-21-2022 07:34 AM
I would say the PAN config is correct. Might want to recheck the Hyper-V side:
If using a Teamed interface make sure its tagged:
Then on the VM settings:
Sorry I cant find my notes from when I built everything. It was a long time ago.
Hope this helps.
03-24-2023 05:23 PM
I have an almost identical setup. It was working great on 10.1.3 and 10.1.8 for many months. Once I upgraded to the 10.2.0 and above line (I am on 10.2.3-h4 now) Vlan traffic will not pass my sub-interfaces. The arp's are not passing and getting dropped due to vlan tags not getting appended to the packets it appears. It must somehow be related to Hyper-V. We are gathering data in my TAC case and they said the fix will be in 10.2.4 when that version comes out.
03-31-2023 06:45 AM
I can confirm that the new version 10.2.4 fixes this issue now.
05-03-2023 08:06 AM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!