Layer 3 switch behind Layer 3 PA-3020 interface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Layer 3 switch behind Layer 3 PA-3020 interface

L1 Bithead

So I'm new to my PA-3020 and trying to get beyond my basic config has introduced a new problem for me.

I have a Layer 3 Cisco connected to my PA eth 1/2 via a routed interface on the switch.  My traffic is all working fine now, but I want to make some changes.

All my vlans have IP addresses on my switch, and they route via the switch routing table to the LAN or on the PA.  I want to have some of those vlans isolated from the LAN, so they can't route via the switch.  I think I need to set up subinterfaces on my PA, but it has not been working.

I created a test vlan on my switch (100).  No ip address, so it does not have a route in the switch.  I set the vlan ip helper-address as the IP of the PA subinterface, so it should forward DHCP requests on that vlan to the subinterface IP on the PA.  I created eth1/2.100 on my PA, gave it a dhcp relay for my dhcp servers on the LAN, made sure there is a route from the PA to the servers vlan on the LAN, created a Test Zone and Security Policy to allow DHCP between Test and Trust zones.  I can ping through these zones and networks, but my DHCP requests are not making it out of my switch to the PA.

How should I accomplish what I want to do?

Thank you!

Steve

4 REPLIES 4

Cyber Elite
Cyber Elite

I would start with Monitor > Packet Capture to see if PA receives those DHCP requests from switch and offers from server.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L7 Applicator

The subinterfaces on the PA will be 802.1Q tagged vlans to your switch.  So you need to create the matching vlan tag on that trunk port for your Cisco and assign this same tag to your access port vlan on the switch.

Have a look at Case 1 on page 3 and following in this document.

Securing Inter VLAN Traffic

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

The problem was that my Cisco port was routed, not a switch trunk port.  All vlan tags were being dropped in the routing.

In order to use the sub interfaces you will need to configure the attached Cisco port into trunk mode.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 3655 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!