Interface Types

Reply
L3 Networker

Interface Types

When you are creating sub-interfaces, what is the reason why you would create layer 2 sub-interfaces?

Tags (1)
Community Manager

Re: Interface Types

Those would represent vlans in your trunk, they allow for easily assigning zones to each vlan and keeping packets contained within the same vlan tag


Help the community: Like helpful comments and mark solutions
Reaper out
L3 Networker

Re: Interface Types

Yes but a layer 2 interface wont have an IP, the only time I make sub-interfaces is when I need more logical layer 3 route points and dont have the physical port capacity. 

L7 Applicator

Re: Interface Types

Hello,

Correct, so what I do it create a vlan interface on the PAN that is layer 3 so that traffic can be routed.

Regards,

L3 Networker

Re: Interface Types

Yes, but then your interface type is layer 3, not layer 2....

 

what be the purpose to setup an interface like Ethernet1/2 in the photo?  What does a layer 2 sub-interface serve? 

 

 

Screen Shot 2019-02-27 at 11.45.57 AM.png

L6 Presenter

Re: Interface Types


@reaper wrote:

Those would represent vlans in your trunk, they allow for easily assigning zones to each vlan and keeping packets contained within the same vlan tag


 

 

Yep, just as Reaper mentioned.  Here how it looks in practice.

 

L2.PNG

 

 

Then you create the associated VLANs in the VLAN tab with the pertinent info.

L7 Applicator

Re: Interface Types

Hello,

The Vlan interface would be layer 3 but the physical would still remain layer2. The purpose of the layer2 subinterface is what Reaper mentioned, a vlan trunk.

 

Perhaps I am not fully understanding the end result you are attmetping to accomplish? Would you be able to expand on this?

 

Regards,

Highlighted
L3 Networker

Re: Interface Types

Ok what does a network diagram look like for this?

 

One switch connected to the PA with hosts on both vlan 11 and vlan 12. So when vlan 11 needs to talk to vlan 12 it NEEDS a layer 3 gateway so where is this? Unless there is another port that connects to a layer 3 router or switch upstream? But what is the design reason for that? Might as well run Layer3 on the PA.

L6 Presenter

Re: Interface Types


@stevenjwilliams83 wrote:

Ok what does a network diagram look like for this?

... Might as well run Layer3 on the PA.


 

Yes, in my screenshot the FW is the GW for the 2 VLANs.  Like @Otakar.Klier mentioned we need to understand what you're trying to do.

 

If all you're trying to do is have your FW participate in a VLAN create a L3 interface (sub or otherwise) and give that interface an IP address in that network.  Using routing (routing protocol or static) to tell the FW where to route for the network it's participating in.

L7 Applicator

Re: Interface Types

Hello,

I would say the reason for it is you want inspection of the traffic between the two clients. The Layer3 interface would either need to be a router somewhere that touches each vlan, or you can created a Layer3 vlan interface on the PAN.

 

image.png

 

This way the traffic is inspected by the PAN. One reason for this design is to limit and inspect traffic between the two clients on the network. 

Configure Layer 2 Interfaces with VLANs when you want Layer 2 switching and traffic separation among VLANs. You can optionally control non-IP protocols between security zones on a Layer 2 interface or between interfaces within a single zone on a Layer 2 VLAN.

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/configure-interfaces/layer-2-in...

 

Also check out this as to why Zero trust is a good thing and this is one way towards it.

https://www.paloaltonetworks.com/resources/whitepapers/best-practices-for-executing-on-zero-trust

 

https://www.youtube.com/watch?v=2IGe5zZMlDc

 

Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!