Palo Alto Layer2 mode and brdige vlan in different subnets

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo Alto Layer2 mode and brdige vlan in different subnets

L3 Networker

Hi All

 

Can Palo Alto bridge two VLAN like VLAN 10 and VLAN 30 that have different subnets? or both VLAN should have same subnet?

 

Basically what I want, I have VLAN 10 having subnet 10.10.10.0/24 and VLAN 30 having subnet 192.168.1.0/24. Both VLAN have gateway on core switch. How can I use Palo Alto firewall in layer 2 mode to do the firewalling between two VLAN

4 REPLIES 4

L7 Applicator

To have the inspection at layer 2 with the gateway on the core switch you need to find a layer 2 path where you can insert the PAN in the link using v-wire would probably be simplest.

 

If you core device is a pure core with nothing but other switches attached this should be possible.  Intercept the links from the core switch to the aggregation switch and insert the layer 2 PAN in these lines.  Assuming you have enough ports for all the links.

 

On the PAN side then you need to create all the vlans that exist on that line and setup the rules for inspection then for traffic that crosses the PAN v-wire for each vlan.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

@pulukas thank you. I got your point. But then I have to make two security rules right? one for vwire-10 (going to gateway of vlan10) and other policy is for vwire-20 (coming from gateway of vlan 20 to server?

 

Also, if firewall is off path to core firewall, then I have to host vlan gateway also on L2 firewall for inter-vlan firewalling?

I have not done this but I think you won't need two rules if you place everything in the same zone. 

The rules will be intrazone traffic.

They are written in the direction that traffic is initiated.

As the traffic comes through it should still match the existing sessions even though it goes through the PAN twice in each direction.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

you can also create a Layer2 interface with 2 subinterfaces, then create a policy to allow traffic from one's zone to the others and back (interzone will do this if you only want to create a single policy)

 

the only thing you'll need to take care of yourself, is how the different broadcast domains are going to communicate to one another without a routing device in between

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 4031 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!