Interconnect between layer 3 and layer 2 interface possible?

Reply
L2 Linker

Interconnect between layer 3 and layer 2 interface possible?

Is below configuration possible?

 

1. 1 layer3 interface act as gateway and DHCP

2. 1 layer2 interface interconnect to the layer3 interface above. The computer connected to this interface can reach the layer3 gateway and IP address receive from its DHCP

 

In short, 2 interfaces use the same gateway and DHCP.

Cyber Elite

@jeremylo,

To the best of my knowledge something like this isn't going to work. I imagine that you are trying to use a PA-200/220 for like a single small office device? 

L2 Linker

Hello BPry,

Correct. I'm now testing a PA-220.

Due to lack of network switch (in testing env). I want to use 2 interfaces connect to 2 computers. And these 2 computers need connect to the same gateway and receive IP address from the same DHCP.

 

Of course I've plenty of switch in production environment. I just want to see if this kind of configuration is possible on PA-220.

Cyber Elite

@jeremylo,

Ya I don't think what you are trying to do here is going to work at all. As soon as you attempt to configure the second interface you'll get validation errors due to the interfaces sitting on the same subnet. 

L2 Linker

BPry

So far my attempt either not work or even can't pass validation.

I thought PAN-OS 8 can emulate a virtual cable connect between layer3 (as router) and layer2 (as switch).

Maybe I go find a spare network switch instead.

Cyber Elite

Hello,

How about using a VLAN interface as the layer 3 and the physical as layer 2?

 

Just a thought.

L2 Linker

Hello Otakar,

In pan-os 8. I can't select a layer 3 interface when create VLAN

L2 Linker

Hi guys,

I'm trying a similar setup, I'm installing a new pa820 replacing our old pa500, but currently the pa500 is acting as a router/gateway to clients and servers, but users are experiencing slow intervlan performance(the pa sub int seems to not run at 1gb wire speed). So I'm making the pa820 have layer2 sub int that will bridge to our layer3 cisco svi int and use the svi int as gateways, I'm trying to find the best plan of attack before making changes, thanks in advanced.

Cyber Elite

@cdcirexx,

See my reply on your discussion topic. 

The PA-500 wouldn't achieve wire speed as soon as you enabled either app-id or Threat Prevention, and you likely have both enabled. If you were even getting this to work with a PA-500 in a somewhat respectable manner the PA-820 should perform without issue in the same exact configuration. 

L2 Linker

Thanks for the reply Bpry, we do have threat prevention and app-id on, and had to move any dbase users to the same vlan cause of the slowdowns, so with the pa820 it should resolve that, I actually went and did the import export already to the pa820, and will change the cables at the end of the day to test.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!