- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-03-2015 09:58 AM
So I'm new to my PA-3020 and trying to get beyond my basic config has introduced a new problem for me.
I have a Layer 3 Cisco connected to my PA eth 1/2 via a routed interface on the switch. My traffic is all working fine now, but I want to make some changes.
All my vlans have IP addresses on my switch, and they route via the switch routing table to the LAN or on the PA. I want to have some of those vlans isolated from the LAN, so they can't route via the switch. I think I need to set up subinterfaces on my PA, but it has not been working.
I created a test vlan on my switch (100). No ip address, so it does not have a route in the switch. I set the vlan ip helper-address as the IP of the PA subinterface, so it should forward DHCP requests on that vlan to the subinterface IP on the PA. I created eth1/2.100 on my PA, gave it a dhcp relay for my dhcp servers on the LAN, made sure there is a route from the PA to the servers vlan on the LAN, created a Test Zone and Security Policy to allow DHCP between Test and Trust zones. I can ping through these zones and networks, but my DHCP requests are not making it out of my switch to the PA.
How should I accomplish what I want to do?
Thank you!
Steve
06-04-2015 02:22 AM
I would start with Monitor > Packet Capture to see if PA receives those DHCP requests from switch and offers from server.
06-06-2015 06:03 AM
The subinterfaces on the PA will be 802.1Q tagged vlans to your switch. So you need to create the matching vlan tag on that trunk port for your Cisco and assign this same tag to your access port vlan on the switch.
Have a look at Case 1 on page 3 and following in this document.
06-08-2015 07:26 AM
The problem was that my Cisco port was routed, not a switch trunk port. All vlan tags were being dropped in the routing.
06-08-2015 03:39 PM
In order to use the sub interfaces you will need to configure the attached Cisco port into trunk mode.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!