Router on a stick with VLANs
Showing results for 
Search instead for 
Did you mean: 

Router on a stick with VLANs

L1 Bithead

I have a single HPE 5400 that links to a PA-820. I have an untagged p2p VLAN on a Layer3 interface on the PA. I use this as the "MGMT/LAN" side. The HPE is doing routing for internal networks.


To add another VLAN, I tagged that same port on the switch, and I add a sub-interface on the PA with the appropriate tag.

So, the uplink between the switch and the PA is untagged VLAN 253 (MGMT/LAN), and tagged VLAN 201 (DMZ). [I've also tried removing the IP settings from the parent interface and adding two sub interfaces for VLAN 253/201]


My issue is when the DMZ(201) traffic flows up to the switch it is exiting the default route and the VLAN tag is stripped. This is causing the PA to classify the zone as LAN and dropping the traffic. This is despite my routing table on both the PA and the HPE show that the appropriate route is VLAN connected.


If I have an client device with the gateway set as the PA, the traffic flows as normal all the way to the internet.

I have some wireless controllers that have multiple interfaces on them. You can't specify a gateway per interface. So if I route-ping from the DMZ interface on the controller it is going to hit the default router of the controller. That is the HPE. So, the traffic is pushed to the HPE, then the HPE should route appropriately. I'm not sure why the PA is treating the traffic this way.


I have 3 other firewalls in my lab, and they all function normally configured this way. Trunk port is untagged for the main MGMT interface, and tagged for the VLANs I want to pass up.


To add: I know I can just move the controller to the same physical location and physically link the two removing this issue, but I shouldn't have to.


EDIT: The LAN/MGMT interface and the DMZ subInterface are in two separate zones.


Thanks in advance!


Cyber Elite
Cyber Elite


Can you post the port configuration from the 5400 please? 

Sure, and some context. is the PA LAN parent interface. B16 is the trunked port to the PA. VLAN 201 is the DMZ with a subInterface on the PA at






ip route
ip route
ip route name "Guest_Network"
ip routing






And port config:





vlan 201
   name "DMZ"
   tagged B16,C1-C8,C23
   ip address
vlan 253
   name "Palo LAN"
   untagged B16
   ip address





Routing table:



Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.
  ------------------ --------------- ---- --------- ---------- ---------- -----   253  static               1          1         lo1                  connected            1          0     1    static               1          1        reject               static               0          0       lo0                  connected            1          0      Guest           300  connected            1          0      DMZ             201  connected            1          0     DEFAULT_VLAN    1    connected            1          0     Wireless        2    connected            1          0     VLAN400         400  connected            1          0   MGMT            199  connected            1          0   Palo LAN        253  connected            1          0   FG LAN          254  connected            1          0    




This really seems like it's an issue with the 5400, but the configuration looks fine to me and I don't see any obvious issues with what you have posted. If the VLAN tag is not present, the firewall rightfully isn't going to get the traffic assigned to the proper zone and your security rulebase entries aren't going to match any of the traffic. 

You might want to reach out to HPE and see why the 5400 is stripping out the VLAN tag; I'm guessing that its something config related.



The config may be wrong, but only in the sense that it is not configured the way a PA likes it versus another vendor. This is how I configure Fortigates, Sonicwalls, and Cisco ASRs when passing traffic from a HPE.


I really think it has something to do with the default route. I mean, regardless of vendor, you have to have a default route, correct? So all unknown traffic is going to hit that internal parent interface. Since the route is VLAN connected it should be passing that tag up. It just seems like it's the PA not handling it correctly.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!