PA200 not enought network port

clonesheep · ‎08-10-2018

Hello everyone

I have a PA200 which has only 4 network ports. But now I have 2 direct internet connections and 2 4g connections and 1 is uplink to my network. Would it be possible to connect a port of the pa200 not directly to the router but to a small 8port switch to which my two routers are connected? These have the IP 192.168.5.1/24 and 192.168.6.1/24.

What do I have to configure on the ethernet 1/4 port of the PA200? Put them there as IP address? And routing technical? Where should the default route point to? 0.0.0.0 to 192.168.6.1? Only one can do it.

PANgurus · ‎08-10-2018

hi @clonesheep

the PA-200 supports tagged sub-interfaces, so you could connect it to a managed switch and create different VLANs for every WAN connection, which would enable you to have all 4 outbound connections on one single physical interface (or more to spread the bandwidth, as needed)

here's an article on sub-interfaces: https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-Subinterfaces/ta-p/67...

Tom Piens
PANgurus

clonesheep · ‎08-13-2018

Hi @PANgurus thanks for the subinterfaces link. That sounds good. But now i will make for every internet connection a own virtual router so thaht i can use them unattached from each others. But there is a spec only 3 VR. 😞 do you have an idea how i can go avoid that limitation?

BPry · ‎08-13-2018

@clonesheep,

A bigger device that is properly spec'd for your enviroment and what you are attempting to accomplish?

Depending on what you are attempting to do you don't need different VRs for each connection; you could easily take advantage of Metrics and Path Monitoring on the individual routes to bypass this, you might have to use a bit of PBF to get this to function exactly as you would like though. This of course all depends on what you're using each connection for; but you absuletly don't need a new VR per internet connection.

clonesheep · ‎08-17-2018

I want to transfer client a via internet a and client b via a different internet b line. My default virtual router has only a default 0.0.0.0.0/0 address and therefore its next hop from the provider router. And how can I change the default path with pbf? there I can only define a next hop.

RobinClayton · ‎08-17-2018

Policy based routing overrides the default next hop.

clonesheep · ‎08-17-2018

And is there a other way for my 8Port switch? Because it have only Layer2 VLAN function. Its a HP 1820 and so i cannot configure my port 1 witch is then in 3 different VLANs.

So can i put physical my 3 connections to this litte 8 port swtich without vlans? and how must i configure then the eth port on my pa200?

RobinClayton · ‎08-17-2018

" it have only Layer2 VLAN function" VLANS are only layer 2.

You need to "TAG" all your vlans on the 1820 on the port going to the 200, On the 200 have a L2 interface with L2 Subinterfaces for each tagged vlan.

https://support.hpe.com/hpsc/doc/public/display?sp4ts.oid=7687976&docId=emr_na-c04622710&docLocale=e...

Section 5-3

clonesheep · ‎08-17-2018

okay, i thought i needed some routing between the vlans.

so have now my vlan ids 1 200 201 202. in

vlan 1 is default all ports untagged

vlan 200 is port 1 and 2 both tagged other ports excluded

vlan 201 is port 1 and 3 both tagged other ports excluded

vlan 202 is port 1 and 4 both tagged other ports excluded

now i connect my p200 on port 1 at the swtich and configure my three subinterfaces with the tag 200 and so on.. right?

RobinClayton · ‎08-17-2018

I assume port 1 is the link to the PA.

Ports 2,3,4 should be untagged if they are connected to your routers.

Network Security

Cloud Security

Security Operations

PA200 not enought network port

PA200 not enought network port

Show your appreciation!