how to combine layer2 and layer3 on a single port

cancel
Showing results for 
Search instead for 
Did you mean: 

how to combine layer2 and layer3 on a single port

L2 Linker

5050 at ver 6.1.9

Hello all!  You may want to sit down for this one. We have a core router that conects to a single layer 3 10GB port on a 5050 as the internet gateway.  The 5050 also has several server netwks attached via 1gb ports. Again these ports are layer 3 and act as the gateway for these networks.. All connections on the 5050 are now layer 3 interfaces. We are trying to migrate away from our current ISP connection on the 5050 to new connections off of the core router and we are looking at migrating our existing servers from 1gb to 10gb thru the core routers.  All the while allowing the 5050 to examine traffic. 1)  We would like to keep this 10gb port on the 5050 as a default route.  2) We would like to extend the existing 5050 server netwks back down to the core router via the same 10gb pipe, where we will connect servers with 10gb connections within the core.   3)  We are migrating away from the existing wan connection on the 5050.  With that said our intention is to use policy routing to route certain users onto a new layer three vlan (new default route)  that would exist on that same 10gb pipe.  That ntwk will be passed as layer 2 traffic thru the core router to other ISP's. So in a nutshell I need to create the server vlans with two ports each,  one port for the existing 1gb srvr farm off the 5050 and another port (the 10gb port) that will be used by multiple vlans. Now when you stop laughing,  is this at all possible and if it is can you point me to a step by step in creating these interfaces.

thnks in advance

walt

 

 

 

 

12 REPLIES 12

Hi Walt,

 

I am just looking at your diagram, and I am thinking you should be able to use Layer3 trunk as the interface, and than create sub-interfaces per VLAN to control the traffic of particular vlans.

 

That's how I am running my lab, a bit smaller configuration in terms of devices but I am basically connecting with Layer3 untagged interface to my trunk port, and than I have L3 sub-interfaces with VLAN tags and IP addresses that are effective gateways for VLANs in virtual environment, that way I am using full bandwidth of the interface and just doing logical routing with VLANs and Virtual router inside.

 

Combining L2 and L3 interface configuration per interface is not possible, but there are plenty of other solutions - sixtuplet that is used to evaluate session does NOT include interface: what matters for session matching are IP addresses, ports, zone and protocol. So, as long as your packets match those six items does not really matter what interface they came in or went out through.

Another thing is that L2 does not offer the best inspection and visibility into traffic, you should always try to have L3 interfaces and inspection rather than L2 or vwire/tap inspection.

 

Best regards,


Luciano

 I have used instances where I've built a single "trunk-1" port with multiple L3 tagged vlans (sub-intrfcs).  But as you can see I would like to add another physical port "trunk-2" carrying the same vlans.  Our core switch/routers can do this (add multiple physical interfaces to any vlan and each physical interface can carry multiple (tagged) vlans).  But of course we do not get the level of inspection/allow/deny as the 5050 will provide. 

 

thnks for the input

walt

Hello,

Just some other things to consider.

 

Aggregate interfaces on the PAN

https://live.paloaltonetworks.com/t5/Integration-Articles/Designing-Networks-with-Palo-Alto-Networks...

https://live.paloaltonetworks.com/t5/Configuration-Articles/Which-Link-Aggregation-Protocols-are-Sup...

 

Also you mentioned you were running on 6.1.9, you may want to think about upgrading or protecting the management interface.

https://securityadvisories.paloaltonetworks.com/

 

Cheers!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!