Thanks for the advice, it does make more sense now.  I'll give this a go as soon as I can arrange a good time to do so.

Steve

Thanks Jon, I was most of the way through this config but didn't do all of it correctly.  I will set this up when I can interrupt the traffic without causing too much trouble.  Appreciate your help!

Great, thanks Jon.  I'll attempt it again in my next window, likely not until Friday night.

The routing was left in place, the IP on the SVI for vlan 3 was the same that had been on the interface g 1/0/1 previously, the default gateway was still in place for the next hop to the FW interface.  That route should have been ok.

The main interface on the FW is untagged, so that could be part of the problem, in which case a sub interface tagged 3 might be the solution.

When traffic in vlan 30 is forwarded to the default gateway, is the vlan tag dropped?  I guess I was thinking if traffic originates in vlan 30 then I would need to allow vlan 30 across the trunk.  No?

Also, the native vlan part confuses me.  Wouldn't you want the native vlans to match?  Why do I need it at all?  As I understand it, the native vlan will be used when untagged traffic reaches that link...but is there any untagged traffic?

So many questions, thanks for the help!

I set up a completely identical environment with a spare switch I had on hand.  I used a different interface on the FW and changed the IPs from 10.x.x.x to 11.x.x.x, but otherwise identical.  I could not get it to work with any of the scenarios described.

I think the problem is that traffic tagged in vlans that do not exist on the FW is getting lost.  It worked perfectly for the vlan 100 with a subinterface tagged 100 on the FW.  But vlan 30 traffic routed on the switch doesn't work.

I'm not sure it's possible, maybe the firewall just doesn't like this setup?  Obviously I could put all my vlans on subinterfaces on the firewall and all routing would happen there.  This will work, but it creates more zones and policies to pay attention to, particularly for vlans where I don't need that level of security.  That said, if it works, I may need to just do it.

Do I lose any significant benefit by moving all routing to the firewall?  My layer 3 switch would become just a layer 2 switch...pros and cons?

OK, I solved part of it.  The FW still needs a subinterface tagged with a vlan to match each vlan that is routed on the switch.  The IP of this subinterface is not in the routing table on the switch and is not used for any routing on the firewall, it just grabs the vlan traffic when it comes in to the main interface on the FW and forwards on to the default route in the firewall.  It seems like an odd setup since the gateway for these vlans is the SVI on the switch, but it works, so I'm happy.  Now I just need a good maintenance window to test this on my production equipment.

Thanks for the help so far!

Steve

The FW still needs a subinterface tagged with a vlan to match each vlan that is routed on the switch.

That doesn't make sense.

Any vlans that are routed on the switch are sent over vlan 3 so the firewall would never see tagged packets for any vlans that are routed on the switch.

Perhaps I have misunderstood and if it works then fine but you should only need subinterfaces on the firewall for the vlans you are routing off it and perhaps vlan 3 as discussed previously.

There is no reason why this wouldn't work, I have done s similar thing myself just not with your type of firewall.

Jon

Good point about the static routes, for my test case I don't believe I added them.  I agree that it seems it should work without subinterfaces for vlans not routed on the FW, perhaps I've been missing yet another piece.

I'll have another go at my little lab setup today to see if I can't make it works the way it should.

Thanks!

In the lab adding the static route for the vlan routed on the switch, not directly connected to the FW, did not change the situation.  

Let's review my config, maybe I'm missing something still (likely):

Switch#

int vl 3

ip add 10.38.0.5/29

int vl 30

ip add 10.38.1.5/24

int gi 1/0/1 (connected to FW int eth 1/3)

switchport trunk encapsulation dot1q

swithport trunk native vlan 3

swithcport mode trunk

switchport trunk all vlan 3,100

int gi 1/0/23

switchport mode access

switchport access vlan 100

int gi 1/0/24

switchport mode access

switchport access vlan 30

default gateway is 10.38.0.1

10.38.0.0/29 is directly connected via vlan 3

10.38.1.0/24 is directly connected via vlan 30

PA-3020#

int eth 1/3.3

ip add 10.38.0.1/29

tagged vlan 3

dhcp relay to 172.19.1.9, 172.19.1.11

int eth 1/3.100

ip add 10.38.2.1/24

tagged vlan 100

dhcp relay to 172.19.1.9, 172.19.1.11

Virtual router has route for 10.38.1.0/24 out int eth1/3.3 to next hop 10.38.1.5

I don't think it's a route problem though, because I'm not getting an address at all, so the traffic problem is occurring before it has an address to route, right?

When I plug a pc into switch int gi 1/0/23 on vlan 100, everything works as expected.  Get an address, get to the internet.

When I plug a pc into switch int gi 1/0/24 on vlan 30, I don't get an address.

Thinking it might just be dhcp issue, I did test with a static IP on the workstation, still no traffic gets through.

I don't know enough about how this works to back up this thought, but it feels like the vlan 30 traffic is getting to the firewall still tagged vlan 30 and the firewall drops it because it doesn't have a vlan 30.  When I add a subinterface in vlan 30, everything falls into place.  I know it should be tagged 3 since it was routed there over native vlan 3....

Hope the extra info and review here helps you guys help me think through this.  Thanks, I really appreciate the time and thought you're giving this.

Steve

Edit - ignore that, vlan 30 is presumably being routed on the switch ?

Jon