04-02-2023 11:11 PM
i dont know how to handle this scenario (or where my setup/my thinking is wrong...):
We have several VLAN's (901-920) and in every VLAN we have the SAME Network-Adresses (Customer-Machines/SPS 126.96.36.199/16).
My Plan was to add a Gateway for every single VLAN and than NAT/Routing. At this Time our Devs can only connect "directly"
GW 2 192.168.70.6/30 - VLAN 902 - NAT Rule 902 (from 70.6 to 172.27.250.250/16)
GW 3 192.168.70.10/30 - VLAN 903 - NAT Rule 903 (from 70.10 to 172.27.250.250/16)
GW 4 192.168.70.14/30 - VLAN 904 - NAT Rule 904 (from 70.14 to 172.27.250.250/16)
can you give me some hints for getting this setup work or isnt that possible ?
I would like for the devs to move away from "I connect directly to the vlan with a 172 address" and towards routing via paloalto...
ty for tips !!
04-03-2023 01:50 AM
All of VLANs share the same /16 IP address space, but you have configured the VLAN interface as a /30. The interface will not ARP for addresses outside of its /30 . Does this setup actually work on a per-VLAN basis??
Upon reading the question I was going to point out that you can't create multiple VLAN interfaces which exist within the same /16 subnet. You could share the same /16 allocation and carve it (multiple /21's) up between the interfaces, but this would require the connected hosts to have their netmasks and gateway address configured. But would allow the host to share the same classful /16 address.
The only other solution is to use multiple virtual routers (VRs), as this will allow you to have identical IP interfaces on the device. You would need to configure unique loopback interface within each VR and advertise that /32 address between the VRs. Then configure source NAT for the /16 hiding it behind the local /32. The only problem with this solution is the platform limitation for the number of configurable VRs
04-03-2023 02:22 AM
Does this setup actually work on a per-VLAN basis??
nope, my setup doesnt work... i tried many options, nothing worked.
my goal: devs enters a specific route (route add 188.8.131.52/16 GW 192.168.70.6 for VLAN 902). after deleting this route on the client he should be able to enter a new route for vlan 906 eg with GW 70.22.
setup with VR's: when im right the 3220 can handle "only" 10 VR, so this doesnt work for us...
04-03-2023 03:16 AM
For that desired setup to work, each IP interface must have a /16 netmask, but that is not possible when they share the same routing table.
Also, how would a local host simultaneously communicate with hosts on-link and in another VLAN which shares the same /16 subnet. The best you could hope for is to configure a 1:1 static NAT where let say:
VLAN901 172.27.0.0/16 is NAT'd using a source pool of 184.108.40.206/16
VLAN901 172.27.0.0/16 is NAT'd using a source pool of 220.127.116.11/16
You would then advertise the NAT pools between the VRs, but again as you point out, you only have 10 VRs to use. Can you get hold of another PA and perhaps route these NAT pools between them?
04-03-2023 03:58 AM
Thanks for trying to help, it seems with my current setup/hardware its not possible.. and no, i dont have another PA, i might be cheaper and perhaps easier when we install a static hardware device (little Cisco 8Port Managed Switch) with NAT/routing in each VLAN (different WAN-IPs to internal network), hope this could do the job too...
Ty Seb !
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!