About GCA

So I'm new to my PA-3020 and trying to get beyond my basic config has introduced a new problem for me. I have a Layer 3 Cisco connected to my PA eth 1/2 via a routed interface on the switch.  My traffic is all working fine now, but I want to make some changes. All my vlans have IP addresses on my switch, and they route via the switch routing table to the LAN or on the PA.  I want to have some of those vlans isolated from the LAN, so they can't route via the switch.  I think I need to set up subinterfaces on my PA, but it has not been working. I created a test vlan on my switch (100).  No ip address, so it does not have a route in the switch.  I set the vlan ip helper-address as the IP of the PA subinterface, so it should forward DHCP requests on that vlan to the subinterface IP on the PA.  I created eth1/2.100 on my PA, gave it a dhcp relay for my dhcp servers on the LAN, made sure there is a route from the PA to the servers vlan on the LAN, created a Test Zone and Security Policy to allow DHCP between Test and Trust zones.  I can ping through these zones and networks, but my DHCP requests are not making it out of my switch to the PA. How should I accomplish what I want to do? Thank you! Steve ... View more