I am struggling to choose one of the following two configurations. Which concept would you choose?
I have a trunk between the Paloalto (PA-5060) and a switch.
In the first variant I would configure the trunk interface on the paloalto as a layer 3 interface (subinterfaces). The IP, vlan tag etc. are directly on the interface. In the secound variant I would configure the trunk interface as layer 2 which I assign a vlan interface.
Simplified the following network scheme:
Are there any advantages/disadvantages about these the two variants? Are there some best practices about when to use L2 or L3 Interfaces?
One advantage of the L2 interface I thought about is, that unused Ports on the Paloalto are less difficult to integrate to an existing Vlan/network.
Thanks for your response.
In my situation there is only one aggregated link from the switching fabric to the firewall.
Therefore I dont need the firewall to switch packets. So i thought about configuring the link as L3.
The reason why I am still considering a L2 interface is that I can bind them to an vlan interface which is L3. With the Vlan interfaces i am able to route to different vlans/subnets with the virtual router from Palo. Also with this configuration i am still able to easily attach network devices to the Firewall.
Are there any drawbacks if I consider the L2 configuration method ?
My preference is to use straight Layer-3 or Layer-3 + subinterfaces. It is more simple & straight-forward to configure, and the great majority of the customers I've worked with use these L3 modes. My rule of thumb is: "use L3 interfaces unless you can articulate the specific reasons why your deployment requires L2 w/ VLAN interfaces".
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!