For details on cookie usage on our site, read our Privacy Policy
Switching without layer 2 zones
- LIVEcommunity
- Discussions
- Configuration Wizard Discussions
- Switching without layer 2 zones
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-18-2023 02:56 AM - edited 09-18-2023 03:06 AM
Hello,
I would like some advice on my setup.
I have a firewall (PA-5250) connected to 2 different switches, say :
- VM-Building1 -- switch building1 -- eth1 FW eth2 -- switch building 2 -- VM building 2
- the VM use VLAN 1000
I did this :
- Configure 2 subinterfaces (Network > Interfaces > Ethernet) : eth1/1000 and eth2/1000 as layer 2 with the tag 1000
- create a SVI vlan.1000 (Network> Interfaces > VLAN) with the gateway and default router and layer 3 security zone
- create a VLAN (Network > VLAN) VL_1000 using the vlan.1000 SVI, with the 2 subinterfaces.
I would like the communication inside the WLAN not to go through the firewall. However, unless i configure a layer 2 zone which i assign the the subinterfaces, my 2 VM cannot ping each other, they can both ping the gateway, though.
Is there a way to allow the communication without going through the firewall ?
Any advice would be appreciated, thank you.
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-18-2023 03:57 AM
Hi @diesmo ,
I am probably missing your point, but I don't believe you loose those benefits if you connect the two switches.
Let me try to explain my idea again:
- Connect switch1 and switch2 directly. Either configure it as trunk and allow any vlans that available in the two building, or just the vlan you need.
- Connect one port from each port to PAN FW. Again up to you if you want to configure these ports as trunks/tagged for multiple vlans, or for only one vlan, or just untagged for the required vlan
- On the firewall configure those two physical ports as link-aggregation (do not enable LACP).Use simple layer3 interface and put IP on the firewall to act as default gateway for the VLAN
- (optional) if you have configure the switches as trunks/tagged to the firewall you need to create the layer3 interface as sub-interface for the agg interface.
With this approach::
- You still have one hop connection to internet from each building.
- Traffic one one build to internet will go to other building first, only if the link between the local switch and the firewall is done, but connection between the two switches is still up.
- If you lose one switch this will not affect the traffic in the other building,
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-18-2023 03:24 AM
Hi @diesmo
If you don't want to control/restrict/filter traffic between the two building in the same VLAN, why are you connecting the firewall between the two switches?
You can leave the config that you already have done so both buildings can have access to default gateway any any inter-vlan traffic,
but connect the two switches together to allow intra-VLAN traffic between the two buildings to go directly without firewall inspection.
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-18-2023 03:34 AM - edited 09-18-2023 03:35 AM
Hello @aleksandar.astardzhiev
Thank you for your reply. Yes, i know i can connect the switch in building1 to the firewall and the switch in building 2 directly to the switch in building 1.
I suppose with my setup the benefits are :
- From outside to VM2, i avoid one hop (ok small benefit)
- All the traffic from outside to building 2 avoids the bandwith from the firewall to switch in building 1
- If i lose the switches in building 1, the VMs in building 2 are still available.
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-18-2023 03:57 AM
Hi @diesmo ,
I am probably missing your point, but I don't believe you loose those benefits if you connect the two switches.
Let me try to explain my idea again:
- Connect switch1 and switch2 directly. Either configure it as trunk and allow any vlans that available in the two building, or just the vlan you need.
- Connect one port from each port to PAN FW. Again up to you if you want to configure these ports as trunks/tagged for multiple vlans, or for only one vlan, or just untagged for the required vlan
- On the firewall configure those two physical ports as link-aggregation (do not enable LACP).Use simple layer3 interface and put IP on the firewall to act as default gateway for the VLAN
- (optional) if you have configure the switches as trunks/tagged to the firewall you need to create the layer3 interface as sub-interface for the agg interface.
With this approach::
- You still have one hop connection to internet from each building.
- Traffic one one build to internet will go to other building first, only if the link between the local switch and the firewall is done, but connection between the two switches is still up.
- If you lose one switch this will not affect the traffic in the other building,
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-18-2023 04:38 AM - edited 09-18-2023 07:30 AM
Thank you @aleksandar.astardzhiev
I may end up using your design, yes.
This is the lab i tried to put together (for information).
I understand here that VM in building1 cannot ping VM in building 2, unless we configure a layer 2 security zone on the ethernet subinterfaces.
Network > Interfaces > Ethernet
Network > Interfaces > VLAN
Network > VLAN
Network > Zones
For the 2 machines to be able to communicate, we need to define a Layer 2 security zone (and make sure the intrazone default security is ALLOW) :
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
