Connecting two L2 segments via PAN?

efellows — Fri, 07 Jun 2013 12:43:59 GMT

I am trying to connect two separate Layer2 segments using the same VLAN ID 569 and same IP subnet 10.10.69.0/24.

The firewall has:

ae1 (mode layer2) with members ethernet1/1 and ethernet1/2

ae2 (mode layer2) with members ethernet1/5 and ethernet1/6

VLAN 569 configured with name UC_Servers

> show vlan "Unified Communications Net 569"

total vlan shown : 1

name                interface         virtual interface   layer3 forwarding
--------------------------------------------------------------------------------
Unified Communications Net 569ae2.569           vlan.569            disabled
                    ae1.569

> show interface ae1.569

--------------------------------------------------------------------------------
Name: ae1.569, ID: 277, 802.1q tag: 569
Operation mode: layer2
Interface management profile: N/A
Service configured:
Zone: N/A, virtual system: vsys1
Adjust TCP MSS: no

> show interface ae2.569

--------------------------------------------------------------------------------
Name: ae2.569, ID: 266, 802.1q tag: 569
Operation mode: layer2
Interface management profile: N/A
Service configured:
Zone: N/A, virtual system: vsys1
Adjust TCP MSS: no
--------------------------------------------------------------------------------

> show interface vlan.569

--------------------------------------------------------------------------------
Name: vlan.569, ID: 274
Operation mode: layer3
Virtual router default
Interface MTU 1500
Interface IP address: 10.10.69.1/24
Interface management profile: MP_Outside
ping: yes telnet: no ssh: yes http: no https: yes
snmp: yes response-pages: yes userid-service: no
Service configured:
Zone: SZ UC, virtual system: vsys1
Adjust TCP MSS: no
--------------------------------------------------------------------------------

I am not sure what does "L3 forwarding enabled" checkbox within the VLAN does, but i've tested with and without and does not help. I am already doing L3 forwarding between this and many other VLANs within the PA.

So my question is:

Both L2 segments work individually well, but they are not able to communicate with one another on Layer2 via the PaloAlto. Is this possible to achieve with this device? PA-500?

Thanks in advance!

Re: Connecting two L2 segments via PAN?

VinceM — Fri, 07 Jun 2013 13:00:43 GMT

May be usefull for your need: https://live.paloaltonetworks.com/docs/DOC-2011

Re: Connecting two L2 segments via PAN?

efellows — Fri, 07 Jun 2013 13:11:54 GMT

Hi Vincent,

Thank you very much. I have a solid networking background, but am quite new to PAN. I've missed the concept of Layer2 security zones which makes perfect sense.

The document you attached - helped me to understand what i am missing. And it's quite intuitive. I've configured a new Layer2 Security Zone and put ae1.569 and ae2.569 and voila - everything works as it should!

And again i see how powerfull is this platform, i am just amazed!

Thanks again - we can consider this issue resolved.

Re: Connecting two L2 segments via PAN?

VinceM — Fri, 07 Jun 2013 13:13:25 GMT

With pleasure 🙂

topic Connecting two L2 segments via PAN? in General Topics

Connecting two L2 segments via PAN?

Re: Connecting two L2 segments via PAN?

Re: Connecting two L2 segments via PAN?

Re: Connecting two L2 segments via PAN?