Connecting two L2 segments via PAN?

Reply
Highlighted
L1 Bithead

Connecting two L2 segments via PAN?

I am trying to connect two separate Layer2 segments using the same VLAN ID 569 and same IP subnet 10.10.69.0/24.

The firewall has:

ae1 (mode layer2) with members ethernet1/1 and ethernet1/2

ae2 (mode layer2) with members ethernet1/5 and ethernet1/6

VLAN 569 configured with name UC_Servers

> show vlan "Unified Communications Net 569"

total vlan shown :                    1

name                interface         virtual interface   layer3 forwarding
--------------------------------------------------------------------------------
Unified Communications Net 569ae2.569           vlan.569            disabled
                    ae1.569

> show interface ae1.569

--------------------------------------------------------------------------------
Name: ae1.569, ID: 277, 802.1q tag: 569
Operation mode: layer2
Interface management profile: N/A
Service configured:
Zone: N/A, virtual system: vsys1
Adjust TCP MSS: no

> show interface ae2.569

--------------------------------------------------------------------------------
Name: ae2.569, ID: 266, 802.1q tag: 569
Operation mode: layer2
Interface management profile: N/A
Service configured:
Zone: N/A, virtual system: vsys1
Adjust TCP MSS: no
--------------------------------------------------------------------------------

> show interface vlan.569

--------------------------------------------------------------------------------
Name: vlan.569, ID: 274
Operation mode: layer3
Virtual router default
Interface MTU 1500
Interface IP address: 10.10.69.1/24
Interface management profile: MP_Outside
  ping: yes  telnet: no  ssh: yes  http: no  https: yes
  snmp: yes  response-pages: yes  userid-service: no
Service configured:
Zone: SZ UC, virtual system: vsys1
Adjust TCP MSS: no
--------------------------------------------------------------------------------

I am not sure what does "L3 forwarding enabled" checkbox within the VLAN does, but i've tested with and without and does not help. I am already doing L3 forwarding between this and many other VLANs within the PA.

So my question is:

Both L2 segments work individually well, but they are not able to communicate with one another on Layer2 via the PaloAlto. Is this possible to achieve with this device? PA-500?

Thanks in advance!

L5 Sessionator

Re: Connecting two L2 segments via PAN?

May be usefull for your need: https://live.paloaltonetworks.com/docs/DOC-2011

V.

L1 Bithead

Re: Connecting two L2 segments via PAN?

Hi Vincent,

Thank you very much. I have a solid networking background, but am quite new to PAN. I've missed the concept of Layer2 security zones which makes perfect sense.

The document you attached - helped me to understand what i am missing. And it's quite intuitive. I've configured a new Layer2 Security Zone and put ae1.569 and ae2.569 and voila - everything works as it should!

And again i see how powerfull is this platform, i am just amazed!

Thanks again - we can consider this issue resolved.

L5 Sessionator

Re: Connecting two L2 segments via PAN?

With pleasure :-)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!