This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Layer 2 Interfaces together with Vlan Interfaces or Layer 3 Interfaces

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Layer 2 Interfaces together with Vlan Interfaces or Layer 3 Interfaces

iabueltm
L0 Member

‎07-04-2019 04:31 AM

Hello Community

 

I am struggling to choose one of the following two configurations. Which concept would you choose?

 

I have a trunk between the Paloalto (PA-5060) and a switch.
In the first variant I would configure the trunk interface on the paloalto as a layer 3 interface (subinterfaces). The IP, vlan tag etc. are directly on the interface. In the secound variant I would configure the trunk interface as layer 2 which I assign a vlan interface.

 

Simplified the following network scheme:

paloalto-l2-or-l3-interface.jpg

 

Are there any advantages/disadvantages about these the two variants? Are there some best practices about when to use L2 or L3 Interfaces?

One advantage of the L2 interface I thought about is, that unused Ports on the Paloalto are less difficult to integrate to an existing Vlan/network.

 

Regards
Dominik

0 Likes Likes
6 REPLIES 6

reaper
Cyber Elite
Cyber Elite

‎07-04-2019 05:09 AM

layer2 makes it possible to plop the firewall, using as many ports as you like, in the middle if a switched environment with the same broadcast domains east and west (you could bridge 3 switches all holding the same vlans, for example) layer3 makes for a more traditional routed environment where each network requires routing to get to another network from a security perspective having routing in the mix, prevents 'rogue' subnets in one vlan from being able to traverse onto a legitimate subnet in a different vlan, it also simplifies segregation
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

iabueltm
L0 Member
In response to reaper

‎07-05-2019 02:23 AM

Hi Reaper

 

Thanks for your response.

 

In my situation there is only one aggregated link from the switching fabric to the firewall.
Therefore I dont need the firewall to switch packets. So i thought about configuring the link as L3.

 

The reason why I am still considering a L2 interface is that I can bind them to an vlan interface which is L3. With the Vlan interfaces i am able to route to different vlans/subnets with the virtual router from Palo. Also with this configuration i am still able to easily attach network devices to the Firewall.

 

Are there any drawbacks if I consider the L2 configuration method ?

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to iabueltm

‎07-05-2019 02:35 AM

that works in layer3 mode as well, using tagged sub-interfaces no real drawbacks in using Layer2 though, security wise all 3 modes are the same Layer2 is a little more complex because you need to configure 3 different settings (vlan, vlan interface and physical interface/sub-interfaces) but that's basically the only difference
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

jvalentine
L7 Applicator

‎07-05-2019 04:31 PM

My preference is to use straight Layer-3 or Layer-3 + subinterfaces.  It is more simple & straight-forward to configure, and the great majority of the customers I've worked with use these L3 modes.  My rule of thumb is: "use L3 interfaces unless you can articulate the specific reasons why your deployment requires L2 w/ VLAN interfaces".    

Todd_Benshoof
L0 Member

‎12-02-2019 03:08 PM

I'm looking to configure Layer 3 subinterfaces with the access layer switches pointing to the subinterface IP as it's gateway.  As this is East/West traffic, I am concerned about routing between the "East VLANs" routing to the "West network interfaces".  I have all the interfaces in the same virtual router.  The firewall isn't operational yet, but hope it works.  I cannot find much documentation on this type of configuration.

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to Todd_Benshoof

‎12-03-2019 01:20 AM

@Todd_Benshoof 

this sounds pretty straight forward, do you have a network design?

 

if you have all L3 (sub)interfaces, and they're all in the same VR, routing will happen automagically (the routing table will be populated with 'connected' networks and route from the get-go)

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 13399 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks