This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

VLAN entry

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VLAN entry

jeff.noseworthy1
L0 Member

‎06-04-2020 01:12 PM

Hi

 

I have a network with IP addresses in the range of 192.168.100 and 192.168.130 on two singular network cards on the same machine on the local network. Port 4 on the firewall is plugged into another device with the .130 range IP.   Port 1 on the firewall is plugged into the local network. I can’t contact the other device from the machine. 

Any idea how I can achieve this?

 

0 Likes Likes
2 REPLIES 2

upelister
L3 Networker

‎06-04-2020 03:10 PM

Hello,

I think your enviroment like this;

 

upelister_0-1591308547499.png

 

 

To Check-

  1. İnterface types should be L3 and ip address assigned.
  2. Same default router shoul be used.
    1. Else you must crate a routing entry for each subnet in each VR.
  3. You can put them in different zone or same zone up to you.
    1. İf different zone, you have to create a rule.
    2. İf same zone Default allow rule will allow traffic.
    3. İf there is clean up rule before default rules, a permit rule must be created even if they are in same zone.
    4. İf there is an allow rule logging should be enabled.
  4. Link States must be Green not red or greyed out.
  5. Assingnin a ping enabled management profile to interface’s good for trouble shooting.
  6. ON cli you can check arp entry’s to verify hosts are connected properly.
    1. )> show arp ethernet1/1 or )> show arp ethernet1/4
  7. upelister_1-1591308547505.png

     

  8. If you are using VM Palo Alto, “promiscous mode” has to be enabled all interface’s. İn ESX.
  9. For 100.0 network host can ping to its gateway.
  10. For 130.0 network host can ping to its gateway.
  11. Trace route can be helpful.

Have a nice and healty day.

UP
0 Likes Likes

reaper
Cyber Elite
Cyber Elite

‎06-05-2020 12:08 AM

If i read your issue correctly you have:

 

a desktop computer with 2 network cards plugged in, one in range 192.168.100 and one in 192.168.130

your firewall also has 2 connected interfaces, one in 192.168.100 and one in 192.168.130

 

your desktop is connected with both interfaces in the same broadcast domain to the firewall on the interface with ip 192.168.100

the firewall is connected to a different broadcast domain on the 192.168.130 interface

 

i don't think there is a (layer3) solution to this issue as your host will always prefer the locally connected subnet over a remotely routed one so it will look for ARP rather than route

 

you could consider switching your firewall to two layer2 interfaces, and setting up routed vlan interfaces in each subnet

that way both broadcast domains will see eachother and a default gateway will remain available for routing

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 2677 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks