Interconnect between layer 3 and layer 2 interface possible?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Interconnect between layer 3 and layer 2 interface possible?

L3 Networker

Is below configuration possible?


1. 1 layer3 interface act as gateway and DHCP

2. 1 layer2 interface interconnect to the layer3 interface above. The computer connected to this interface can reach the layer3 gateway and IP address receive from its DHCP


In short, 2 interfaces use the same gateway and DHCP.


Cyber Elite
Cyber Elite


To the best of my knowledge something like this isn't going to work. I imagine that you are trying to use a PA-200/220 for like a single small office device? 

Hello BPry,

Correct. I'm now testing a PA-220.

Due to lack of network switch (in testing env). I want to use 2 interfaces connect to 2 computers. And these 2 computers need connect to the same gateway and receive IP address from the same DHCP.


Of course I've plenty of switch in production environment. I just want to see if this kind of configuration is possible on PA-220.


Ya I don't think what you are trying to do here is going to work at all. As soon as you attempt to configure the second interface you'll get validation errors due to the interfaces sitting on the same subnet. 


So far my attempt either not work or even can't pass validation.

I thought PAN-OS 8 can emulate a virtual cable connect between layer3 (as router) and layer2 (as switch).

Maybe I go find a spare network switch instead.


How about using a VLAN interface as the layer 3 and the physical as layer 2?


Just a thought.

Hello Otakar,

In pan-os 8. I can't select a layer 3 interface when create VLAN

L2 Linker

Hi guys,

I'm trying a similar setup, I'm installing a new pa820 replacing our old pa500, but currently the pa500 is acting as a router/gateway to clients and servers, but users are experiencing slow intervlan performance(the pa sub int seems to not run at 1gb wire speed). So I'm making the pa820 have layer2 sub int that will bridge to our layer3 cisco svi int and use the svi int as gateways, I'm trying to find the best plan of attack before making changes, thanks in advanced.


See my reply on your discussion topic. 

The PA-500 wouldn't achieve wire speed as soon as you enabled either app-id or Threat Prevention, and you likely have both enabled. If you were even getting this to work with a PA-500 in a somewhat respectable manner the PA-820 should perform without issue in the same exact configuration. 

Thanks for the reply Bpry, we do have threat prevention and app-id on, and had to move any dbase users to the same vlan cause of the slowdowns, so with the pa820 it should resolve that, I actually went and did the import export already to the pa820, and will change the cables at the end of the day to test.

  • 9 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!