Description of Layer3 interfaces and duplicate IP address support.
Duplicate IP Address Support
Beginning with PAN-OS® 11.1.4 and later releases, duplicate (overlapping)
IP address support allows you to use the same IP address on multiple firewall
interfaces when the interfaces use different logical routers and also use one of the
following combinations:
- Different zones and the same virtual system.
- The same zone and different virtual systems.
- Different zones and different virtual systems.
It's important to understand these requirements because if you attempt to configure
duplicate addresses on multiple interfaces in the same zone and on the same virtual
system, there is no commit failure that prevents the misconfiguration.
Multiple interfaces on the same logical router can't use the
same IP address.
PA-1400 Series, VM-Series firewalls, and Panorama template stack support overlapping
IP addresses.
Overlapping IP address support requires the Advanced Routing Engine. You
enable Advanced Routing; you can then enable
Duplicate IP
Address Support. Follow the standard procedure to commit and reboot
the firewall before you configure duplicate IP addresses.
You can then proceed to
Configure Layer 3
Interfaces with duplicate IP addresses. The example topology illustrates
the same IP address (192.0.2.5/24) on two interfaces (Ethernet1/3 and Ethernet 1/6)
that belong to different logical routers (lr1 and lr6), the same virtual system
(VSYS-1), and different zones (l3zone and zone6).
The interfaces can also share IPv6 addresses. The resulting configuration example
from the sample topology would be similar to this:
A separate configuration example shows Ethernet1/4 and Ethernet1/8 with overlapping
IP addresses configured for different logical routers, different virtual systems,
and different zones:
The General Information on the Dashboard displays the firewall setting:
Duplicate IP Enabled or Duplicate IP
Disabled.
Overlapping IP addresses support both static and dynamically assigned IPv4 and IPv6
addresses. All Layer 3 interface types (Ethernet, VLAN, tunnel, loopback, Aggregate
Ethernet [AE], and AE subinterfaces) support overlapping IP addresses. The support
includes gateway interfaces.
The management interface does not support overlapping IP
addresses.
Overlapping IP addresses are not supported if HA
active/active mode is enabled. Such a commit fails with the error message,
Duplicate IP is not supported in HA Active/Active
mode.
Interfaces that have duplicate IP addresses configured support the following
services: Ping, SSH, Telnet, HTTP, and HTTPS. When Duplicate IP Address Support is
enabled, the ping and traceroute commands require you to specify a logical router,
which differentiates the source IP address among the duplicate addresses. Thus, the
response comes back to the correct IP address. Use the CLI operational commands:
- ping source ip host ip
logical-router logical-router-name
- traceroute source ip host ip
logical-router logical-router-name
Inter-vsys routing supports overlapping IP addresses so that you can route between
virtual systems.
Additional CLI commands related to duplicate IP address support are:
- set deviceconfig setting duplicate-ip
<yes|no>
Enable or disable duplicate IP address
support.
- show system info
View the Duplicate IP setting (Enabled or Disabled).
- show counter global name
session_duplicate_ip_alt_srcnat_xlat
View counters for
duplicate-ip alt source NAT translation.
