Layer 2 Interfaces together with Vlan Interfaces or Layer 3 Interfaces

Reply
L0 Member

Layer 2 Interfaces together with Vlan Interfaces or Layer 3 Interfaces

Hello Community

 

I am struggling to choose one of the following two configurations. Which concept would you choose?

 

I have a trunk between the Paloalto (PA-5060) and a switch.
In the first variant I would configure the trunk interface on the paloalto as a layer 3 interface (subinterfaces). The IP, vlan tag etc. are directly on the interface. In the secound variant I would configure the trunk interface as layer 2 which I assign a vlan interface.

 

Simplified the following network scheme:

paloalto-l2-or-l3-interface.jpg

 

Are there any advantages/disadvantages about these the two variants? Are there some best practices about when to use L2 or L3 Interfaces?

One advantage of the L2 interface I thought about is, that unused Ports on the Paloalto are less difficult to integrate to an existing Vlan/network.

 

Regards
Dominik

Community Manager

Re: Layer 2 Interfaces together with Vlan Interfaces or Layer 3 Interfaces

layer2 makes it possible to plop the firewall, using as many ports as you like, in the middle if a switched environment with the same broadcast domains east and west (you could bridge 3 switches all holding the same vlans, for example) layer3 makes for a more traditional routed environment where each network requires routing to get to another network from a security perspective having routing in the mix, prevents 'rogue' subnets in one vlan from being able to traverse onto a legitimate subnet in a different vlan, it also simplifies segregation

Help the community: Like helpful comments and mark solutions
Reaper out
L0 Member

Re: Layer 2 Interfaces together with Vlan Interfaces or Layer 3 Interfaces

Hi Reaper

 

Thanks for your response.

 

In my situation there is only one aggregated link from the switching fabric to the firewall.
Therefore I dont need the firewall to switch packets. So i thought about configuring the link as L3.

 

The reason why I am still considering a L2 interface is that I can bind them to an vlan interface which is L3. With the Vlan interfaces i am able to route to different vlans/subnets with the virtual router from Palo. Also with this configuration i am still able to easily attach network devices to the Firewall.

 

Are there any drawbacks if I consider the L2 configuration method ?

Community Manager

Re: Layer 2 Interfaces together with Vlan Interfaces or Layer 3 Interfaces

that works in layer3 mode as well, using tagged sub-interfaces no real drawbacks in using Layer2 though, security wise all 3 modes are the same Layer2 is a little more complex because you need to configure 3 different settings (vlan, vlan interface and physical interface/sub-interfaces) but that's basically the only difference

Help the community: Like helpful comments and mark solutions
Reaper out
L7 Applicator

Re: Layer 2 Interfaces together with Vlan Interfaces or Layer 3 Interfaces

My preference is to use straight Layer-3 or Layer-3 + subinterfaces.  It is more simple & straight-forward to configure, and the great majority of the customers I've worked with use these L3 modes.  My rule of thumb is: "use L3 interfaces unless you can articulate the specific reasons why your deployment requires L2 w/ VLAN interfaces".    

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!