Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-07-2013 05:43 AM
I am trying to connect two separate Layer2 segments using the same VLAN ID 569 and same IP subnet 10.10.69.0/24.
The firewall has:
ae1 (mode layer2) with members ethernet1/1 and ethernet1/2
ae2 (mode layer2) with members ethernet1/5 and ethernet1/6
VLAN 569 configured with name UC_Servers
> show vlan "Unified Communications Net 569"
total vlan shown : 1
name interface virtual interface layer3 forwarding
--------------------------------------------------------------------------------
Unified Communications Net 569ae2.569 vlan.569 disabled
ae1.569
> show interface ae1.569
--------------------------------------------------------------------------------
Name: ae1.569, ID: 277, 802.1q tag: 569
Operation mode: layer2
Interface management profile: N/A
Service configured:
Zone: N/A, virtual system: vsys1
Adjust TCP MSS: no
> show interface ae2.569
--------------------------------------------------------------------------------
Name: ae2.569, ID: 266, 802.1q tag: 569
Operation mode: layer2
Interface management profile: N/A
Service configured:
Zone: N/A, virtual system: vsys1
Adjust TCP MSS: no
--------------------------------------------------------------------------------
> show interface vlan.569
--------------------------------------------------------------------------------
Name: vlan.569, ID: 274
Operation mode: layer3
Virtual router default
Interface MTU 1500
Interface IP address: 10.10.69.1/24
Interface management profile: MP_Outside
ping: yes telnet: no ssh: yes http: no https: yes
snmp: yes response-pages: yes userid-service: no
Service configured:
Zone: SZ UC, virtual system: vsys1
Adjust TCP MSS: no
--------------------------------------------------------------------------------
I am not sure what does "L3 forwarding enabled" checkbox within the VLAN does, but i've tested with and without and does not help. I am already doing L3 forwarding between this and many other VLANs within the PA.
So my question is:
Both L2 segments work individually well, but they are not able to communicate with one another on Layer2 via the PaloAlto. Is this possible to achieve with this device? PA-500?
Thanks in advance!
06-07-2013 06:00 AM
06-07-2013 06:11 AM
Hi Vincent,
Thank you very much. I have a solid networking background, but am quite new to PAN. I've missed the concept of Layer2 security zones which makes perfect sense.
The document you attached - helped me to understand what i am missing. And it's quite intuitive. I've configured a new Layer2 Security Zone and put ae1.569 and ae2.569 and voila - everything works as it should!
And again i see how powerfull is this platform, i am just amazed!
Thanks again - we can consider this issue resolved.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
