Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Layer 2 and Layer 3 interfaces connected to the same switch?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Layer 2 and Layer 3 interfaces connected to the same switch?

L2 Linker

I'm currently working on a migration project from Sonicwall (SW) to Palo Alto 3020 (PA) and I need to buy myself some time. For now, I'd like to place the SW inside of the PA so that LAN-WAN traffic will enjoy the benefits of Wildfire, Antivirus, App-ID, and threat detection. Things get a bit complicated, though, due to the SW doing NAT, Ipsec site-site VPN, and SSL VPN (for now).

 

Originally I was thinking of creating a bidirectional NAT on PA that would map the old public address of the SW to a new private address that I'd assign to the SW public interface.

 

But I'm thinking it might be simpler to make use of Layer 2 interfaces on PA. Here I'd create two layer 2 interfaces:

 

Interface A would connect to the Internet router via switch A.

Interface B would connect directly to the SW public interface.

 

Now I don't have to renumber the SW public interface at all.

 

My concerns:

 

  1. PA already connects to the Internet router via Layer 3 interface  linked to switch A. I need to be sure that no ethernet loops will be created.
  2. Do I lose any security functionality when traffic passes through Layer 2 interfaces on PA instead of being routed through Layer 3 interfaces?

Thanks in advance for any advice!

1 accepted solution

Accepted Solutions

Yes, you can have multiple vwires on a system. You just have to 2 interfaces per vwire. I run multiple vwires on several systems. 

Using L2 interfaces should work as well.

View solution in original post

4 REPLIES 4

L3 Networker

You could use vwire interfaces on the PA so that you don't have to worry about changing IP addresses. If you do that, it might make more sense to put the PA on the trusted side of the SW so that you can do the various inspections on the real addresses instread of on a translation address and port.

Interesting. I had considered a virtual wire but I'm not sure I understand it fully. I guess the difference between a vwire and a layer 2 interface is that a vwire can allow multiple VLANs through, just like a physical cable? That would be attractive on the trusted side of the SW since the SW uses subinterfaces to carry all the internal VLAN traffic.

 

But I think I may still want the PA on the untrusted side of the SW, to protect the SW itself. I suppose I could have two vwires, right?

 

Back to my original proposal, if I use a pair of Layer 2 interfaces to link the SW to the WAN, I also don't have to worry about changing IP addresses, right?

Yes, you can have multiple vwires on a system. You just have to 2 interfaces per vwire. I run multiple vwires on several systems. 

Using L2 interfaces should work as well.

Thank you, I've done some testing and it looks like it will probably work. The only hitch is I am running an active/passive HA pair, so in order to connect the vwire to my router, I am actually connecting interface 11 from each of the PAs into the switch.

 

Then for testing, I'm using a laptop, so to connect it to the HA pair I created VLAN 40 on the switch and connected interface 12 from each of the PAs, plus the laptop, into that VLAN.

 

(Interface 11 and 12 on PA are the vwire interfaces.)

 

The switch doesn't seem to like this--the switchport that the active PA is connected to always goes into BLOCKED state. That VLAN has spanning tree turned on; maybe I should try turning it off. I'm not sure it will matter in the actual deployment. For now, if I remove all the links to VLAN 40 and just connect the laptop directly into interface 12 of the active PA, I can reach the internet and I can monitor the traffic in the PA.

 

EDIT: The issue turned out to be that the switch is set up with "spanning tree single" (Brocade/Foundry). Once I turned off spanning tree in VLAN 40 it was no longer part of the switch-wide spanning tree, so it allowed me to bridge VLAN 40 to the other VLAN on the switch.

  • 1 accepted solution
  • 4082 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!