How to configure multiple vlans to go through a layer 3 firewall interface
Posted on 2014-09-04
I am currently in the process of breaking one big corporate vlan into 3 smaller ones and am having issues with internet connectivity in my lab.
I am using an HP Layer 3 core that will support the 3 corporate vlans as follows:
vlan 10: Building 1 - vlan-interface10 -172.19.0.1/16 (current)
vlan 20: Building 2: vlan-interface20 -172.20.0.1/16 (future)
vlan 30: Building 3: vlan-interface30 - 172.30.0.1/16 (future)
The core has a Palo Alto firewall off of vlan 10 access port that all internet traffic currently passes through.
It's address is 172.19.0.10. The DHCP server is also on vlan 10 and has scopes for all 3 vlans (which are working).
All the LAN routing on the core is simple direct attach routes as everything comes back to the core's vlan-interfaces.
I can't seem to get vlan 20 or 30 to connect to the internet after adding a static 0.0.0.0/0 next-hop 172.19.0.10 route. VLAN 10 works fine.
If i am routing all internet traffic through 172.19.0.10 will it get NATed properly going through a VLAN 10 access port to the firewall's LAN (trust) interface?
Another thing is that i can ping the firewall LAN interface from vlan 10 but not the other vlans but i'm not sure if that is just a security rule.
I've read on using sub-interfaces or using a physical interface on the Palo alto for each vlan and put them all in the same security zone.
Any ideas of how i should do this?