PA200 not enought network port

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA200 not enought network port

L3 Networker

Hello everyone

I have a PA200 which has only 4 network ports. But now I have 2 direct internet connections and 2 4g connections and 1 is uplink to my network. Would it be possible to connect a port of the pa200 not directly to the router but to a small 8port switch to which my two routers are connected? These have the IP 192.168.5.1/24 and 192.168.6.1/24.

What do I have to configure on the ethernet 1/4 port of the PA200? Put them there as IP address? And routing technical? Where should the default route point to? 0.0.0.0 to 192.168.6.1? Only one can do it.

10 REPLIES 10

Cyber Elite
Cyber Elite

hi @clonesheep

 

the PA-200 supports tagged sub-interfaces, so you could connect it to a managed switch and create different VLANs for every WAN connection, which would enable you to have all 4 outbound connections on one single physical interface (or more to spread the bandwidth, as needed)

 

here's an article on sub-interfaces: https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-Subinterfaces/ta-p/67...

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi @reaper thanks for the subinterfaces link. That sounds good. But now i will make for every internet connection a own virtual router so thaht i can use them unattached from each others. But there is a spec only 3 VR. 😞 do you have an idea how i can go avoid that limitation?

@clonesheep,

A bigger device that is properly spec'd for your enviroment and what you are attempting to accomplish? 

Depending on what you are attempting to do you don't need different VRs for each connection; you could easily take advantage of Metrics and Path Monitoring on the individual routes to bypass this, you might have to use a bit of PBF to get this to function exactly as you would like though. This of course all depends on what you're using each connection for; but you absuletly don't need a new VR per internet connection. 

I want to transfer client a via internet a and client b via a different internet b line. My default virtual router has only a default 0.0.0.0.0/0 address and therefore its next hop from the provider router. And how can I change the default path with pbf? there I can only define a next hop.

Policy based routing overrides the default next hop.

And is there a other way for my 8Port switch? Because it have only Layer2 VLAN function. Its a HP 1820 and so i cannot configure my port 1 witch is then in 3 different VLANs.

So can i put physical my 3 connections to this litte 8 port swtich without vlans? and how must i configure then the eth port on my pa200?

" it have only Layer2 VLAN function" VLANS are only layer 2.

 

 

 

You need to "TAG" all your vlans on the 1820 on the port going to the 200, On the 200 have a L2 interface with L2 Subinterfaces for each tagged vlan.

 

 

https://support.hpe.com/hpsc/doc/public/display?sp4ts.oid=7687976&docId=emr_na-c04622710&docLocale=e...

Section 5-3  

okay, i thought i needed some routing between the vlans.

 

so have now my vlan ids 1 200 201 202. in

vlan 1 is default all ports untagged

vlan 200 is port 1 and 2 both tagged other ports excluded

vlan 201 is port 1 and 3 both tagged other ports excluded

vlan 202 is port 1 and 4 both tagged other ports excluded

 

now i connect my p200 on port 1 at the swtich and configure my three subinterfaces with the tag 200 and so on.. right?

 

 

I assume port 1 is the link to the PA.

 

Ports 2,3,4 should be untagged if they are connected to your routers.

 

 

Yes Port 2,3,4, on the switch is connected to the routers. On eatch port one router.

  • 5843 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!