Hi Jon,

Hope you are good..just thought of updating you.

I managed to get that working and for my surprise the cabling guy did the wrong connections. 1/1 from Core should have been to 1/7 however it was connected to 1/8 on the firewall. So as soon as i revert the cable it all started working...school boy error.

XXX-Core-1#ping 10.132.26.1 source 10.132.26.252

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.132.26.1, timeout is 2 seconds:
Packet sent with a source address of 10.132.26.252
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

XXX-Core-1#sh arp | in 2026
Internet 10.132.26.252 - 0018.7447.e380 ARPA Vlan2026  <<<< Core 1 SVI
Internet 10.132.26.253 19 0018.7468.5800 ARPA Vlan2026 <<< Core 2 SVI
Internet 10.132.26.254 9 0000.0c9f.f7ea ARPA Vlan2026 <<<<<  HSRP IP
Internet 10.132.26.1 0 001b.1700.0116 ARPA Vlan2026 <<<<<<<<Default Gateway on Firewall
Internet 10.132.26.51 0 0018.0ad8.9fd0 ARPA Vlan2026 <<<<<< My Client AP (Meraki)
XXX-Core-1#

I got another query though or just wanted to get my understanding right.

As we speak i am not able to ping default gateway which is on Palo Alto from Access Layer switch.

XXX-FLOOR3#ping 10.132.26.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.132.26.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
XXX-FLOOR3#

However when i ping VLANs SVI on core its fine. (Given it a direct connection Via Trunk)

XXX-FLOOR3#ping 10.132.26.252

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.132.26.252, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
XXX-FLOOR3#

Now if i think of it logically, my access layer switch doesnt know how to get to 10.132.26.1 but it can reach 10.132.26.252 (VLan SVI on core) because VLAN is allowed on trunk.

We have a default route on access layer switch which points towards Management VLANs SVI on the core.

XXX-FLOOR3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.131.12.1 to network 0.0.0.0

C 128.1.0.0/16 is directly connected, Vlan1
10.0.0.0/24 is subnetted, 1 subnets
C 10.131.12.0 is directly connected, Vlan12
S* 0.0.0.0/0 [1/0] via 10.131.12.1
XXX-FLOOR3#

Does it mean i need to add a specific is route required? I dont think so.

I tried to apply a route map on core which says anything coming from 10.132.26.x should set 10.132.26.1 as next hop since core knows 10.132.26.51 (Client connected to access layer) and 10.132.26.1 (Default gateway on Palo)

I thought of sharing my approach with you before i go and try different things.

Cheers

Glad to hear you got it working.

I am slightly confused by the fact you have SVIs on the core switches for the firewalled vlan because you shouldn't have ie. the only L3 interface for that vlan should be the firewall itself.

If you do have SVIs though then your access switch should be able to ping the firewall because it should be routed to the firewall by the core switches.

If your access switch is not doing any routing then try adding this command to it  -

"ip default-gateway 10.131.12.1"

and see if it makes any difference.

Jon

Hi Jon/Julio,

Thanks for your reply.

If i think logically we dont need SVI on the core. But if i dont create an SVI i am not able to ping.

XXX-Core-1#sh int vl2026
Vlan2026 is administratively down, line protocol is down
Hardware is EtherSVI, address is 0018.7447.e380 (bia 0018.7447.e380)
Description: Test VLAN
Internet address is 10.132.26.252/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:29, output 00:00:10, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
L2 Switched: ucast: 1286813 pkt, 146727788 bytes - mcast: 307795 pkt, 28377467 bytes
L3 in Switched: ucast: 111550 pkt, 24983888 bytes - mcast: 0 pkt, 0 bytes mcast
L3 out Switched: ucast: 116963 pkt, 30491658 bytes mcast: 0 pkt, 0 bytes
1721636 packets input, 206673961 bytes, 0 no buffer
Received 204864 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
2130843 packets output, 258099899 bytes, 0 underruns
0 output errors, 12 interface resets
0 output buffer failures, 0 output buffers swapped out

XXX-Core-1#sh arp | in 2026
Internet 128.1.96.111 1 0050.56a1.2026 ARPA Vlan1 >>>> ARP entries disappears
XXX-Core-1#
XXX-Core-1#ping 10.132.26.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.132.26.1, timeout is 2 seconds:
..... >>>>>>>>>>>>> And i cant ping it anymore
Success rate is 0 percent (0/5)
EGH-Core-1#

As soon as i enable SVI, everything starts working

XXX-Core-1#sh int vlan2026
Vlan2026 is up, line protocol is up
Hardware is EtherSVI, address is 0018.7447.e380 (bia 0018.7447.e380)
Description: Test VLAN
Internet address is 10.132.26.252/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:14, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
L2 Switched: ucast: 1286764 pkt, 146723526 bytes - mcast: 307792 pkt, 28377279 bytes
L3 in Switched: ucast: 111550 pkt, 24983888 bytes - mcast: 0 pkt, 0 bytes mcast
L3 out Switched: ucast: 116963 pkt, 30491658 bytes mcast: 0 pkt, 0 bytes
1721628 packets input, 206673179 bytes, 0 no buffer
Received 204861 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
2130805 packets output, 258096145 bytes, 0 underruns
0 output errors, 11 interface resets
0 output buffer failures, 0 output buffers swapped out

XXX-Core-1#sh arp
XXX-Core-1#sh arp | in 2026
Internet 10.132.26.252 - 0018.7447.e380 ARPA Vlan2026
Internet 10.132.26.254 - 0000.0c9f.f7ea ARPA Vlan2026
Internet 128.1.96.111 0 0050.56a1.2026 ARPA Vlan1
Internet 10.132.26.1 0 001b.1700.0116 ARPA Vlan2026
XXX-Core-1#
XXX-Core-1#ping 10.132.26.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.132.26.1, timeout is 2 seconds:
!!!!! >>>>>>>>>>> Pings Just fine
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms

I also checked there is default roule and default gateway on access layer switch which leads everything to core and of course core is able to ping firewall interface.

Gateway of last resort is 10.131.12.1 to network 0.0.0.0

C 128.1.0.0/16 is directly connected, Vlan1
10.0.0.0/24 is subnetted, 1 subnets
C 10.131.12.0 is directly connected, Vlan12
S* 0.0.0.0/0 [1/0] via 10.131.12.1
XXX-FLOOR3#

XXX-FLOOR3#sh run | in default
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa accounting exec default start-stop group radius
spanning-tree portfast default
spanning-tree portfast bpduguard default
ip default-gateway 10.131.12.1
XXX-FLOOR3#

Regardless to SVI being enabled or disabled i am able to ping my client AP sitting on access layer switch from the Firewall. (Which prooves your theory that we dont need SVI)

ernv@XXX-PA-1(active)> ping source 10.132.26.1 host 10.132.26.51
PING 10.132.26.51 (10.132.26.51) from 10.132.26.1 : 56(84) bytes of data.
64 bytes from 10.132.26.51: icmp_seq=1 ttl=64 time=4.17 ms
64 bytes from 10.132.26.51: icmp_seq=2 ttl=64 time=0.830 ms
64 bytes from 10.132.26.51: icmp_seq=3 ttl=64 time=0.897 ms
64 bytes from 10.132.26.51: icmp_seq=4 ttl=64 time=0.842 ms
64 bytes from 10.132.26.51: icmp_seq=5 ttl=64 time=0.827 ms
^C
--- 10.132.26.51 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4013ms
rtt min/avg/max/mdev = 0.827/1.514/4.178/1.332 ms

Julio - Why do we need intrazone policy please? Interface 1/7 belongs to trust zone and yes Ping profile is assigned to the interface. 

I have attached a snapshot (Rule on Firewall) where i can see the firewall been hit by 10.132.26.252 (SVI IP from Core) however my client AP 10.132.26.51 never reaches firewall and reason i see it because it cant even ping.

Any ideas why host on access layer or access layer switch is not able to ping 10.132.26.1 on firewall?

Cheers

Not sure what is happening with the access switch but bear in mind its src IP will not be in the same IP subnet.

When you enable an SVI on the core switch it is in the same IP subnet as the firewall.

Perhaps the firewall is only allowing ping from an IP in the same subnet.

Regardless of all that if you can ping clients in the firewalled vlan your setup works.

The switches don't need to ping the firewall ie. they are not end devices transmitting traffic.

The only reason you may want to be able to ping from a switch is, as Julio says, for troubleshooting but even that doesn't make much sense to me.

If you want to troubleshoot test from a client in that vlan.

Jon

Hi,

I see you already have an universal rule allowing the intrazone traffic, but only when the source is within 10.132.26.0/24, and if I understand correctly, a client in the 10.132.26.0/24 (.51 i think?) subnet can ping the 10.132.26.1 but you cannot ping from your FLOOR3 switch, is that right?

The source of your traffic from the FLOOR3 switch seems to be in a different subnet, so I would check a couple of things:

-Routing from the PA. You should have a static route pointing to some SVI in the Core within the subnet 10.132.26.0/24. This may justify the use of an SVI, so you can route between your 10.132.26.0/24 and your 10.131.12.0/24 subnets in the CORE switch.

-Your trust-to-trust rule must allow that traffic, you can add in the source list your network 10.131.12.0/24. If you want the ping to work from the PA to the FLOOR3 switch, allow both networks in the destination list.

Anyway, why do you want the FLOOR3 switch to be able to ping the firewall interface? You only need the clients in the 10.132.26.0/24 to be able to reach the firewall, unless you have extra needs that I don't see at the moment.

(I just realized that Jon made the same reflections as I did :) )

Kind Regards,

Julio

Hi,

if you can't ping the GW configured in the PA probably it's becase the firewall is not allowing it. Create an intrazone rule to allow that traffic and ping should start working. Also check the management profile in the interface, you may need to enable one profile that allows ping (GUI, Network, Network profiles, Network Management Profile, and then associate it to the interface (see attachment).

I also agree with Jon that it's pointless to have an SVI in the Core switch for that VLAN. The traffic should just be forwarded at L2 to the firewall interface and you should never use the SVI in the Core, unless you want it for some troubleshooting at some point.

Another option you have when you connect the PA to the Core, if you plan in the future to route more than one VLAN through the firewall using the same physical interface, is to configure the Core interface facing the firewall as a trunk with the vlan 2026 allowed, and then creating a L3 subinterface in the PA (the same concept as a Router On as Stick), with the tagging on that VLAN ID. That will give you flexibility for the future.

Regards,

Julio