https://live.paloaltonetworks.com/t5/general-topics/layer-2-interfaces-together-with-vlan-interfaces-or-layer-3/m-p/301771#M78712 <P>I'm looking to configure Layer 3 subinterfaces with the access layer switches pointing to the subinterface IP as it's gateway.&nbsp; As this is East/West traffic, I am concerned about routing between the "East VLANs" routing to the "West network interfaces".&nbsp; I have all the interfaces in the same virtual router.&nbsp; The firewall isn't operational yet, but hope it works.&nbsp; I cannot find much documentation on this type of configuration.</P> Mon, 02 Dec 2019 23:08:33 GMT Todd_Benshoof 2019-12-02T23:08:33Z https://live.paloaltonetworks.com/t5/general-topics/layer-2-interfaces-together-with-vlan-interfaces-or-layer-3/m-p/274898#M75199 <P>Hello Community</P><P>&nbsp;</P><P>I am struggling to choose one of the following two configurations. Which concept would you choose?</P><P>&nbsp;</P><P>I have a trunk between the Paloalto (PA-5060) and a switch.<BR />In the first variant I would configure the trunk interface on the paloalto as a layer 3 interface (subinterfaces). The IP, vlan tag etc. are directly on the interface. In the secound variant I would configure the trunk interface as layer 2 which I assign a vlan interface.</P><P>&nbsp;</P><P>Simplified the following network scheme:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="paloalto-l2-or-l3-interface.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20553iCE6C4FAEB40EF2AE/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="paloalto-l2-or-l3-interface.jpg" alt="paloalto-l2-or-l3-interface.jpg" /></span></P><P>&nbsp;</P><P>Are there any advantages/disadvantages about these the two variants? Are there some best practices about when to use L2 or L3 Interfaces?</P><P>One advantage of the L2 interface I thought about is, that unused Ports on the Paloalto are less difficult to integrate to an existing Vlan/network.</P><P>&nbsp;</P><P>Regards<BR />Dominik</P> Thu, 04 Jul 2019 11:31:03 GMT https://live.paloaltonetworks.com/t5/general-topics/layer-2-interfaces-together-with-vlan-interfaces-or-layer-3/m-p/274898#M75199 iabueltm 2019-07-04T11:31:03Z https://live.paloaltonetworks.com/t5/general-topics/layer-2-interfaces-together-with-vlan-interfaces-or-layer-3/m-p/274907#M75200 layer2 makes it possible to plop the firewall, using as many ports as you like, in the middle if a switched environment with the same broadcast domains east and west (you could bridge 3 switches all holding the same vlans, for example) layer3 makes for a more traditional routed environment where each network requires routing to get to another network from a security perspective having routing in the mix, prevents 'rogue' subnets in one vlan from being able to traverse onto a legitimate subnet in a different vlan, it also simplifies segregation Thu, 04 Jul 2019 12:09:39 GMT https://live.paloaltonetworks.com/t5/general-topics/layer-2-interfaces-together-with-vlan-interfaces-or-layer-3/m-p/274907#M75200 reaper 2019-07-04T12:09:39Z https://live.paloaltonetworks.com/t5/general-topics/layer-2-interfaces-together-with-vlan-interfaces-or-layer-3/m-p/275023#M75220 <P>Hi Reaper</P><P>&nbsp;</P><P>Thanks for your response.</P><P>&nbsp;</P><P>In my situation there is only one aggregated link from the switching fabric to the firewall.<BR />Therefore I dont need the firewall to switch packets. So i thought about configuring the link as L3.</P><P>&nbsp;</P><P>The reason why I am still considering a L2 interface is that I can bind them to an vlan interface which is L3. With the Vlan interfaces i am able to route to different vlans/subnets with the virtual router from Palo. Also with this configuration i am still able to easily attach network devices to the Firewall.</P><P>&nbsp;</P><P>Are there any drawbacks if I consider the L2 configuration method ?</P> Fri, 05 Jul 2019 09:23:12 GMT https://live.paloaltonetworks.com/t5/general-topics/layer-2-interfaces-together-with-vlan-interfaces-or-layer-3/m-p/275023#M75220 iabueltm 2019-07-05T09:23:12Z https://live.paloaltonetworks.com/t5/general-topics/layer-2-interfaces-together-with-vlan-interfaces-or-layer-3/m-p/275024#M75221 that works in layer3 mode as well, using tagged sub-interfaces no real drawbacks in using Layer2 though, security wise all 3 modes are the same Layer2 is a little more complex because you need to configure 3 different settings (vlan, vlan interface and physical interface/sub-interfaces) but that's basically the only difference Fri, 05 Jul 2019 09:35:11 GMT https://live.paloaltonetworks.com/t5/general-topics/layer-2-interfaces-together-with-vlan-interfaces-or-layer-3/m-p/275024#M75221 reaper 2019-07-05T09:35:11Z https://live.paloaltonetworks.com/t5/general-topics/layer-2-interfaces-together-with-vlan-interfaces-or-layer-3/m-p/275176#M75242 <P>My preference is to use straight Layer-3 or Layer-3 + subinterfaces.&nbsp; It is more simple &amp; straight-forward to configure, and the great majority of the customers I've worked with use these L3 modes.&nbsp; My rule of thumb is: "use L3 interfaces unless you can articulate the specific reasons why your deployment requires L2 w/ VLAN interfaces".&nbsp; &nbsp;&nbsp;</P> Fri, 05 Jul 2019 23:31:47 GMT https://live.paloaltonetworks.com/t5/general-topics/layer-2-interfaces-together-with-vlan-interfaces-or-layer-3/m-p/275176#M75242 jvalentine 2019-07-05T23:31:47Z https://live.paloaltonetworks.com/t5/general-topics/layer-2-interfaces-together-with-vlan-interfaces-or-layer-3/m-p/301771#M78712 <P>I'm looking to configure Layer 3 subinterfaces with the access layer switches pointing to the subinterface IP as it's gateway.&nbsp; As this is East/West traffic, I am concerned about routing between the "East VLANs" routing to the "West network interfaces".&nbsp; I have all the interfaces in the same virtual router.&nbsp; The firewall isn't operational yet, but hope it works.&nbsp; I cannot find much documentation on this type of configuration.</P> Mon, 02 Dec 2019 23:08:33 GMT https://live.paloaltonetworks.com/t5/general-topics/layer-2-interfaces-together-with-vlan-interfaces-or-layer-3/m-p/301771#M78712 Todd_Benshoof 2019-12-02T23:08:33Z https://live.paloaltonetworks.com/t5/general-topics/layer-2-interfaces-together-with-vlan-interfaces-or-layer-3/m-p/301820#M78722 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/76305">@Todd_Benshoof</a>&nbsp;</P> <P>this sounds pretty straight forward, do you have a network design?</P> <P>&nbsp;</P> <P>if you have all L3 (sub)interfaces, and they're all in the same VR, routing will happen automagically (the routing table will be populated with 'connected' networks and route from the get-go)</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 03 Dec 2019 09:20:08 GMT https://live.paloaltonetworks.com/t5/general-topics/layer-2-interfaces-together-with-vlan-interfaces-or-layer-3/m-p/301820#M78722 reaper 2019-12-03T09:20:08Z https://live.paloaltonetworks.com/t5/general-topics/layer-2-interfaces-together-with-vlan-interfaces-or-layer-3/m-p/595687#M118529 <P>Good evening,<BR />Please Help find solution with example with L2, L3 sub, L3. West solution.<BR />I find&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKMCA0" target="_blank">How to Configure a Layer 2 to Layer 3 Connection on the Palo Al... - Knowledge Base - Palo Alto Networks</A><BR />But KB missing part of solution.</P> Thu, 22 Aug 2024 20:02:03 GMT https://live.paloaltonetworks.com/t5/general-topics/layer-2-interfaces-together-with-vlan-interfaces-or-layer-3/m-p/595687#M118529 O.Oleg 2024-08-22T20:02:03Z