VLAN and Routing

L1 Bithead

VLAN and Routing

Hi Guys,

I have an issue.

I have a PAN-500, I am using 3 interfaces: et1/4 is L3-Untrust, et1/3 is L3-Trust and et1/2 is L3-Trust.

ET1/4 has the public IP.

ET1/3 =

ET1/2 has 8 sub interfaces, each subinterface has its own IP addressing and belongs to differnet VLANs.

et1/2.1 TAG 30

et1/2.2 TAG 31

et1/2.3 TAG 40

et1/2.4 TAG 41

et1/2.5 TAG 50

et1/2.6 TAG 60

et1/2.7 TAG 70

et1/2.8 TAG 80

The Virtual Router is as follows:

default0.0.0.0/0 ip200.78.237.126none1
wifiomd10.0.1.0/24 ip192.168.0.30none1
wifibbdo10.0.2.0/24 ip192.168.0.30none1
wifisistemas10.0.0.0/24 ip192.168.0.51none1
vpnaccess172.16.0.0/24tunnelnone nonenone
sistemas192.168.8.0/28ethernet1/2.80none nonenone
cuentas192.168.9.0/26ethernet1/2.30none nonenone
creativo192.168.9.64/26ethernet1/2.31none nonenone
planning192.168.4.0/28ethernet1/2.40none nonenone
trafico192.168.5.0/27ethernet1/2.50none nonenone
finanzas192.168.6.0/27ethernet1/2.60none nonenone
proximity192.168.7.0/26ethernet1/2.70none nonenone
produccion192.168.4.16/28ethernet1/2.41none nonenone
servers192.168.0.0/22ethernet1/3none nonenone

The problem here is that users on VLANs are unable to communicate with the network

What can I do in order to solve this issue.

Thanks in advance.

L4 Transporter


both interfaces ethernet 2 and ethernet 3 are in the same zone and we do allow intra zone traffic. So the traffic should be allowed UNLESS you have a deny all rule in your policies. If you have the deny all rule then that includes intra zone traffic.

Try creating a Trust to Trust rule to allow the traffic and move it to the top of your rule set. If your traffic starts flowing then this was probably the issue.

L1 Bithead

I have created a Trust to Trust rule, allowing all traffic. I have just moved to the top, but I am unable to communicate from VLAN users to Network, and viceversa.

Is anything else, that I should do.

Thanks in advance.

L4 Transporter

Are you sure that the traffic is being routed to the Paloalto device?

Are there session in the Paloalto device when try to communicate to users in the subnet?

There are numerous issues that could  cause this, at this point it will probably be easier to call into support to aid you in troubleshooting this.

thank you,


L1 Bithead

Hello Stephen,

The traffic is being routed to the PAN-500.

In fact, PAN-500 is the default gateway for all the VALNs and the Network

I am able to see the traffic from Trust to Untrust, and from Trust to Trust.

Users in VLANs can access Internet.

Thanks in advance.

JM Barrera

L4 Transporter

Do you have sessions where the destination address is with this subnet:

If so are the sessions allowed?

Is the device that you are trying to reach in network able to ping the interface on the paloalto device?

Can you call into support in order that we can take a look?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!