Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Layer 3 sub interfaces on Hyper-V

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Layer 3 sub interfaces on Hyper-V

L0 Member

Hi all,


I am trying to get Palo Alto VM series (10.2.3) to work with layer 3 sub interfaces on Hyper-V (2022).
I configured interface/subinterface from the documentation (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRkCAK)
pa_subinterface.png
I also tried it with removing the ip.adr 192.168.4.252/24
I also tried setting the vSwitch to trunk mode on the Hyper-V host with
Set-VMNetworkAdaptervlan -VMName PA -VMNetworkAdapterName "PA-LAN-Switch" -Trunk -AllowedVlanIdList "1-7" -NativeVlanId 0

I can ping between vms on the vlan 7 ... but I cannot ping the PA IP (192.168.7.252)
If I remove the subinterface and the vlan tagging in the Hyper-V Host I can ping 192.168.4.252.

 

Any help would be appreciated,

Best Regards

7 REPLIES 7

Cyber Elite
Cyber Elite

Hello,

Here is how I have set this up in the past. However I make my physical interfaces layer2, trunk the vlans, and then make layer3 vlan interfaces on the PAN. This I feel allows for more control and forces all traffic to pass through the PAN. 

OtakarKlier_0-1666212463205.png

Then on the Hyper-V side make sure you tag the vlans appropriately.  When you create a VM, make sure you use static MAC's and also have the VM tag the network packets. The interfaces are not pingable by default. You need to configure a management profile that allows pings, then attach it to the interface. You will also need security policies to allow the ping.

 

Hope this helps.

Hi,

Thank you for your advice.

I tried Layer 2 with

pa_subinterface_layer2.png

 

 

and still no luck. 
I used 

Set-VMNetworkAdapterVlan -VMName web01 -VMNetworkAdapterName web01-LAN-Switch -Access -VlanId 7
tried static MACs ... and even 

sudo ip link add link eth2 name eth2.7 type vlan id 7
I created a ping managment profile and added a any/any for icmp/ping policy.
For some reason I can ping from the hvper-v host (when added to the vlan 7) the web01 but not the Palo Alto Interface.

Any Ideas?

Best Regards

Cyber Elite
Cyber Elite

Hello,

I would say the PAN config is correct. Might want to recheck the Hyper-V side:

If using a Teamed interface make sure its tagged:

OtakarKlier_0-1666362024287.png

Then on the VM settings:

OtakarKlier_1-1666362219954.png

Sorry I cant find my notes from when I built everything. It was a long time ago.

 

Hope this helps.

Cheers!

L2 Linker

I have an almost identical setup. It was working great on 10.1.3 and 10.1.8 for many months. Once I upgraded to the 10.2.0 and above line (I am on 10.2.3-h4 now) Vlan traffic will not pass my sub-interfaces. The arp's are not passing and getting dropped due to vlan tags not getting appended to the packets it appears. It must somehow be related to Hyper-V. We are gathering data in my TAC case and they said the fix will be in 10.2.4 when that version comes out.

L2 Linker

I can confirm that the new version 10.2.4 fixes this issue now.

and 11.0.1

I am facing this issue on 11.0.. will try to update to 11.0.1 to see if it fixes the issue

  • 3676 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!