how to combine layer2 and layer3 on a single port

Reply
Highlighted
L5 Sessionator

Hi Walt,

 

I am just looking at your diagram, and I am thinking you should be able to use Layer3 trunk as the interface, and than create sub-interfaces per VLAN to control the traffic of particular vlans.

 

That's how I am running my lab, a bit smaller configuration in terms of devices but I am basically connecting with Layer3 untagged interface to my trunk port, and than I have L3 sub-interfaces with VLAN tags and IP addresses that are effective gateways for VLANs in virtual environment, that way I am using full bandwidth of the interface and just doing logical routing with VLANs and Virtual router inside.

 

Combining L2 and L3 interface configuration per interface is not possible, but there are plenty of other solutions - sixtuplet that is used to evaluate session does NOT include interface: what matters for session matching are IP addresses, ports, zone and protocol. So, as long as your packets match those six items does not really matter what interface they came in or went out through.

Another thing is that L2 does not offer the best inspection and visibility into traffic, you should always try to have L3 interfaces and inspection rather than L2 or vwire/tap inspection.

 

Best regards,


Luciano

Highlighted
L2 Linker

 I have used instances where I've built a single "trunk-1" port with multiple L3 tagged vlans (sub-intrfcs).  But as you can see I would like to add another physical port "trunk-2" carrying the same vlans.  Our core switch/routers can do this (add multiple physical interfaces to any vlan and each physical interface can carry multiple (tagged) vlans).  But of course we do not get the level of inspection/allow/deny as the 5050 will provide. 

 

thnks for the input

walt

Highlighted
Cyber Elite

Hello,

Just some other things to consider.

 

Aggregate interfaces on the PAN

https://live.paloaltonetworks.com/t5/Integration-Articles/Designing-Networks-with-Palo-Alto-Networks...

https://live.paloaltonetworks.com/t5/Configuration-Articles/Which-Link-Aggregation-Protocols-are-Sup...

 

Also you mentioned you were running on 6.1.9, you may want to think about upgrading or protecting the management interface.

https://securityadvisories.paloaltonetworks.com/

 

Cheers!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!