So I'm new to my PA-3020 and trying to get beyond my basic config has introduced a new problem for me.
I have a Layer 3 Cisco connected to my PA eth 1/2 via a routed interface on the switch. My traffic is all working fine now, but I want to make some changes.
All my vlans have IP addresses on my switch, and they route via the switch routing table to the LAN or on the PA. I want to have some of those vlans isolated from the LAN, so they can't route via the switch. I think I need to set up subinterfaces on my PA, but it has not been working.
I created a test vlan on my switch (100). No ip address, so it does not have a route in the switch. I set the vlan ip helper-address as the IP of the PA subinterface, so it should forward DHCP requests on that vlan to the subinterface IP on the PA. I created eth1/2.100 on my PA, gave it a dhcp relay for my dhcp servers on the LAN, made sure there is a route from the PA to the servers vlan on the LAN, created a Test Zone and Security Policy to allow DHCP between Test and Trust zones. I can ping through these zones and networks, but my DHCP requests are not making it out of my switch to the PA.
How should I accomplish what I want to do?
The subinterfaces on the PA will be 802.1Q tagged vlans to your switch. So you need to create the matching vlan tag on that trunk port for your Cisco and assign this same tag to your access port vlan on the switch.
Have a look at Case 1 on page 3 and following in this document.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!