Routing Issues with Layer 3 Deployment

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Routing Issues with Layer 3 Deployment

L2 Linker

Hello all,

I'm having issues with internet access on different subnets. I have attached a diagram on my network. The Server VLAN has Internet access but the rest somehow are not managing, I'm seeing the traffic in the logs but nothing seems to be working.

I have tried various settings but somehow I'm missing it. Does anyone have any thoughts?

7 REPLIES 7

L3 Networker

Are you terminating each VLAN on the Palo Alto box (having the gw address on the Palo) or do you have a link-network between the Palo "internal" interface and the switch.

The Palo Alto is connection on port 36 on the Layer 3 Switch, that port is on the VLAN 100.

Basically all the users have their gateway to the Layer 3 switch. The Layer 3 switch then forward all requests to 192.168.200.254 which is the interface of the Palo Alto.

Only users on the VLAN100 are managing to access the internet which is on the same subnet of the PA

I used to manage on my old firewall through some rules (these were done by some company).

Hope I made myself clear. Cheers

OK, great. So what do you see in the log-files from the networks that doesn't work? Possible to post an output from the log?

I take it you have checked your routing and it's correct?

A Palo route Example:

Route_internal 192.168.203.0/24 gateway 192.168.200.1 (.1 beeing the Switch)

There could be a couple reasons for this, depending on how your PAN is setup.

(these are not necessarily in any order)

1) Do you have the appropriate user subnets listed in the correct security zones?

2) Are the correct security zones applied to the correct interfaces?

3) Do you have multiple virtual routers or just one?

4) If only one virtual router, you should have the static routes defining each of the user vlans AND have the gateway of those networks point to the L3 switch.

5) NAT rules?

The way I built our PAN config is similiar to our checkpoint configs. We start out with creating network objects of all the networks that we support. Then create logical groups with those networks. Then apply the groups to the right security zones. Use the logical groups for NAT rules as well.

devere wrote:

The Palo Alto is connection on port 36 on the Layer 3 Switch, that port is on the VLAN 100.

Basically all the users have their gateway to the Layer 3 switch. The Layer 3 switch then forward all requests to 192.168.200.254 which is the interface of the Palo Alto.

Only users on the VLAN100 are managing to access the internet which is on the same subnet of the PA

I used to manage on my old firewall through some rules (these were done by some company).

Hope I made myself clear. Cheers

Do you actually have a route in the Palo Alto to get point traffic back into the network via VLAN100?

The PA won't need a route to VLAN100 - because it's a directly connected network, the PA will just "know' how to get to devices in this network. However, if you don;t have a VR setup on the PAN telling it how to get traffic back tot he other VLAN's - for example, route 192.168.201.0/24 via 192.168.200.1.

The configuration should look something like this

virtual-router {
          router-1 {
            interface [ ethernet1/1 ethernet1/2];
            routing-table {
              ip {
                static-route {
                  servers {
                    destination 192.168.200.0/24;
                    interface ethernet1/1;
                    nexthop {
                      ip-address 192.168.200.1;
                    }
                  }
                  level1 {
                    destination 192.168.201.0/24;
                    interface ethernet1/1;
                    nexthop {
                      ip-address 192.168.200.1;
                    }
                  }

From the GUI, you should have something similar to the graphic attached - a route in the PA sending everything for the other subnets tot he "router" (layer 3) IP address for VLAN 100.

Cheers.

L2 Linker

after much aggrevation the problem was the layer 3 switch. it developed some fault where it couldn't correctly route to the PA on different VLANS.

On a side note would it be ideal/practical to use the PA as my layer 3 device also?

devere wrote:

after much aggrevation the problem was the layer 3 switch. it developed some fault where it couldn't correctly route to the PA on different VLANS.

On a side note would it be ideal/practical to use the PA as my layer 3 device also?

I wouldn't call it either - the PA is already doing a lot of work - firewall, web filter, virus checking, threat detection and filtering - adding layer 3 for your entire network, while possible, would not be the greatest idea.

Having said that, you *could* do it - I just don't know if it'd be the smartest idea, not knowing which model PA you have.

Cheers.

  • 11071 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!