Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Connecting two L2 segments via PAN?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Connecting two L2 segments via PAN?

L1 Bithead

I am trying to connect two separate Layer2 segments using the same VLAN ID 569 and same IP subnet 10.10.69.0/24.

The firewall has:

ae1 (mode layer2) with members ethernet1/1 and ethernet1/2

ae2 (mode layer2) with members ethernet1/5 and ethernet1/6

VLAN 569 configured with name UC_Servers

> show vlan "Unified Communications Net 569"

total vlan shown :                    1

name                interface         virtual interface   layer3 forwarding
--------------------------------------------------------------------------------
Unified Communications Net 569ae2.569           vlan.569            disabled
                    ae1.569

> show interface ae1.569

--------------------------------------------------------------------------------
Name: ae1.569, ID: 277, 802.1q tag: 569
Operation mode: layer2
Interface management profile: N/A
Service configured:
Zone: N/A, virtual system: vsys1
Adjust TCP MSS: no

> show interface ae2.569

--------------------------------------------------------------------------------
Name: ae2.569, ID: 266, 802.1q tag: 569
Operation mode: layer2
Interface management profile: N/A
Service configured:
Zone: N/A, virtual system: vsys1
Adjust TCP MSS: no
--------------------------------------------------------------------------------

> show interface vlan.569

--------------------------------------------------------------------------------
Name: vlan.569, ID: 274
Operation mode: layer3
Virtual router default
Interface MTU 1500
Interface IP address: 10.10.69.1/24
Interface management profile: MP_Outside
  ping: yes  telnet: no  ssh: yes  http: no  https: yes
  snmp: yes  response-pages: yes  userid-service: no
Service configured:
Zone: SZ UC, virtual system: vsys1
Adjust TCP MSS: no
--------------------------------------------------------------------------------

I am not sure what does "L3 forwarding enabled" checkbox within the VLAN does, but i've tested with and without and does not help. I am already doing L3 forwarding between this and many other VLANs within the PA.

So my question is:

Both L2 segments work individually well, but they are not able to communicate with one another on Layer2 via the PaloAlto. Is this possible to achieve with this device? PA-500?

Thanks in advance!

1 accepted solution

Accepted Solutions

L5 Sessionator
3 REPLIES 3

L5 Sessionator

May be usefull for your need: https://live.paloaltonetworks.com/docs/DOC-2011

V.

Hi Vincent,

Thank you very much. I have a solid networking background, but am quite new to PAN. I've missed the concept of Layer2 security zones which makes perfect sense.

The document you attached - helped me to understand what i am missing. And it's quite intuitive. I've configured a new Layer2 Security Zone and put ae1.569 and ae2.569 and voila - everything works as it should!

And again i see how powerfull is this platform, i am just amazed!

Thanks again - we can consider this issue resolved.

With pleasure 🙂

  • 1 accepted solution
  • 2994 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!