topic Re: Layer 2 vs. Layer 3 Deployment in General Topics

Layer 2 vs. Layer 3 Deployment

PStricker — Mon, 07 Jul 2014 11:27:33 GMT

Hi!

At the moment, I hover between a Layer 2 and Layer 3 Deployment of my PA.

My setup is:

| | | |

Internet <-> IPSEC-router <-> DMZ <-> internal firewall

| | | |

My IPSec-router-cluster and the internal firewall need to persist. The internal firewall does route and filter between 23 VLANs/networks.

In the first step, I took my PA-3020 cluster as Layer2-Firwall behind the IPSec-router (Layer 2 instead of VirtualWire to be able to use a Vlan-Trunk), but I do sometimes see high latency and I do not really know why.

Do you think this is a good idea, or should I add a transfer network segment and user Layer 3?

My thoughts:

Layer 2:

pro

easy deployment

no change to any device

cons

sometimes slow and no idea, why

switches see one mac on two VLANs

Layer 3:

pro:

easy debugging

cons:

need to add transfer network

change of configuration for DMZ-network

need to maintain routing-table of one additional device

Of course, If I need "Layer 3 features", I can assign another interface of the PA as Layer 3, but is this a good idea, or would a "clean" "just Layer3-setup" be more "future-proof"?

Thank you for your hints

Regards

Phil

Re: Layer 2 vs. Layer 3 Deployment

pulukas — Mon, 07 Jul 2014 11:37:18 GMT

PStricker wrote:

(Layer 2 instead of VirtualWire to be able to use a Vlan-Trunk),

You can do Q tags on V-wire in PanOS 5 (think it was introduced in 5.0.4)

I think you have the lay of the land for the differences. I'll just add another option to complicate things for you. You could deploy using vsys and have some layer three segments and treat others are v-wire and layer 2. This could potentially give you the best of both worlds.

I don't see any performance impact on the v-wire deploys we manage. But I'm not running layer 2 in production to compare.

Re: Layer 2 vs. Layer 3 Deployment

PStricker — Mon, 07 Jul 2014 11:58:43 GMT

Hi Steven!

Thank you for your answer. Of course, vwire does support Q-tags, but I think, is does only support trunks. In my environment, VLAN A is "Layer 2 outside" and VLAN B is "Layer 2 inside". So my Layer 2 deployment does link two different VLANs of my switches.

It seems to me, Layer 2 deployments with PA are not very popular.

Phil

Re: Layer 2 vs. Layer 3 Deployment

pulukas — Mon, 07 Jul 2014 21:57:13 GMT

In your situation I would use a layer 3 deploy.

I also have not seen any pure layer 2 deploys. It seems that v-wire is the way to go with a true layer 2 insertion.