https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255722#M72535 <P>Hi,</P><P>Same ip and same vlan tag</P><P>Thanks</P> Tue, 02 Apr 2019 05:04:46 GMT simsim 2019-04-02T05:04:46Z https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255567#M72500 <P>Hi,</P><P>&nbsp;</P><P>I have two pa device , if . Both are in two differnet site . and I want to access the device in vlan10&nbsp; from one site to another .&nbsp;</P><P>How can i do that .</P><P>&nbsp;</P><P>&nbsp;</P><P>vlan 10 ----fw1 --------------fw2---vlan 10&nbsp;</P><P>Thanks</P><P>&nbsp;</P> Sun, 31 Mar 2019 06:56:43 GMT https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255567#M72500 simsim 2019-03-31T06:56:43Z https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255575#M72502 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/59972">@simsim</a>&nbsp;,</P><P>&nbsp;</P><P>Are you refferring to L2 extention and will be using same network on both ends?( you are expecting a solution like psuedowire ?)</P> Sun, 31 Mar 2019 13:00:15 GMT https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255575#M72502 Abdul_Razaq 2019-03-31T13:00:15Z https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255577#M72503 <P>Do you have layer 2 or layer 3 connection between sites?</P><P>Is connection over internet and IPSec VPN?</P> Sun, 31 Mar 2019 16:49:58 GMT https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255577#M72503 Raido_Rattameister 2019-03-31T16:49:58Z https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255580#M72505 <P>Hi,</P><P>&nbsp;</P><P>I am having l3 connection between sites&nbsp;</P><P>&nbsp;</P><P>Thanks</P> Mon, 01 Apr 2019 05:04:10 GMT https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255580#M72505 simsim 2019-04-01T05:04:10Z https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255583#M72506 <P>Hi,</P><P>Not same network , the gateway is in site b.From site a&nbsp; I want to reach site B</P><P>&nbsp;</P><P>Thanks&nbsp;</P> Mon, 01 Apr 2019 08:34:23 GMT https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255583#M72506 simsim 2019-04-01T08:34:23Z https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255610#M72514 <P>Assuming that you configure IPSec VPN between sites then you need to add route to peer site into virtual router and allow this traffic in security policy.</P> Mon, 01 Apr 2019 13:55:27 GMT https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255610#M72514 Raido_Rattameister 2019-04-01T13:55:27Z https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255658#M72520 <P>Hello,</P><P>Are the vlans IP'ed the same way? i.e. 192.168.2.0/24 or do they have different subnets and just the same vlan tag?</P><P>&nbsp;</P><P>Please advise,</P> Mon, 01 Apr 2019 17:58:30 GMT https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255658#M72520 OtakarKlier 2019-04-01T17:58:30Z https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255690#M72525 <P>The best way I've been able to do this is by having a different subnet at each location such as this: 10.10.1.0/24 and 10.30.1.0/24.&nbsp; I create a L3-Interface on both firewalls and create the necessary routers.&nbsp; I then created a rule in Panorama and applied it to both firewalls like so:&nbsp; Trust=&gt;RemoveOffices(10.10.1.0/24,10.30.1.0/24); App-ID: Any, Service: Any =&gt; Trust=&gt;RemoteOffices(10.10.1.0/24, 10.30.1.0/24); App-ID: Any, Service: Any.&nbsp; When applied to both sets of firewalls you'll get a psuedo VLAN extention.&nbsp; To make it scale a little, create an Address Group named something like: VLAN1.&nbsp; Then reference that in any rule you create.&nbsp; You must always include Remote-Office (To and/or From) as appropriate.&nbsp; This will allow all traffic originated on VLAN1 on site1 to VLAN1 on site2 (simulates an extended VLAN between sites).</P><P>&nbsp;</P><P>I've used this and it works quite well.&nbsp; The only gotcha you need to be careful of is when specifying the Interface between firewalls.&nbsp; I use a dedicated Interface or Tunnel and keep my routes very specific only to the other site.&nbsp; Any other routes should probably not traverse that link unless it absolutely needs to.</P><P>&nbsp;</P><P>Good Luck!</P> Mon, 01 Apr 2019 21:59:28 GMT https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255690#M72525 ScottF 2019-04-01T21:59:28Z https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255721#M72534 <P>Hi,</P><P>&nbsp;</P><P>Why do I need a virtual router ?&nbsp;</P><P>&nbsp;</P><P>Thanks</P> Tue, 02 Apr 2019 05:03:20 GMT https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255721#M72534 simsim 2019-04-02T05:03:20Z https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255722#M72535 <P>Hi,</P><P>Same ip and same vlan tag</P><P>Thanks</P> Tue, 02 Apr 2019 05:04:46 GMT https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255722#M72535 simsim 2019-04-02T05:04:46Z https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255815#M72556 <P>Hello,</P><P>They cannot be the same IP address for management. If you are doing HA A/P, then the interface will have the same IP but the passive will be shut down since they are 'passive'.</P><P>&nbsp;</P><P>Hope that helps.</P> Tue, 02 Apr 2019 22:15:58 GMT https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255815#M72556 OtakarKlier 2019-04-02T22:15:58Z https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255876#M72566 <P>Hi,</P><P>&nbsp;</P><P>Sorry for the confusion , I am not talking about the management ip . What I mean is&nbsp; vlan is same in both sites&nbsp;</P><P>&nbsp;</P><P>Thanks</P> Wed, 03 Apr 2019 08:03:19 GMT https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255876#M72566 simsim 2019-04-03T08:03:19Z https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255884#M72568 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/59972">@simsim</a>&nbsp;,</P><P>&nbsp;</P><P>I feel there is a communication gap. hope you need to explain the requirment bit detail.</P><P>If you are using different ip segment in both locations, you can have ipsec between two sites, and route the segments through tunnel in both firewall and have a proper security policy.</P><P>&nbsp;</P><P>As vlan is just local to local network, you have L3 connectivity between two locations(and as per commends, you are using diffrent ip segments in both locations), need not to bother about vlan much.</P><P>&nbsp;</P><P>But if you need a L2 extension like psuedowire ( L2VPN), i dont thing PA is having it now.</P> Wed, 03 Apr 2019 08:21:07 GMT https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255884#M72568 Abdul_Razaq 2019-04-03T08:21:07Z https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255894#M72571 <P>If you have Layer 3 in between then it does not matter at all if vlan number is the same or not.</P><P>Important is if your IP subnet is the same. In your case it seems to be.</P><P>&nbsp;</P><P>All you have to do is to use NAT at both sides to overcome it.</P><P><A title="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClNxCAK" href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClNxCAK" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClNxCAK</A></P> Wed, 03 Apr 2019 13:54:27 GMT https://live.paloaltonetworks.com/t5/general-topics/extending-vlan/m-p/255894#M72571 Raido_Rattameister 2019-04-03T13:54:27Z