07-04-2019 04:31 AM
Hello Community
I am struggling to choose one of the following two configurations. Which concept would you choose?
I have a trunk between the Paloalto (PA-5060) and a switch.
In the first variant I would configure the trunk interface on the paloalto as a layer 3 interface (subinterfaces). The IP, vlan tag etc. are directly on the interface. In the secound variant I would configure the trunk interface as layer 2 which I assign a vlan interface.
Simplified the following network scheme:
Are there any advantages/disadvantages about these the two variants? Are there some best practices about when to use L2 or L3 Interfaces?
One advantage of the L2 interface I thought about is, that unused Ports on the Paloalto are less difficult to integrate to an existing Vlan/network.
Regards
Dominik
07-04-2019 05:09 AM
07-05-2019 02:23 AM
Hi Reaper
Thanks for your response.
In my situation there is only one aggregated link from the switching fabric to the firewall.
Therefore I dont need the firewall to switch packets. So i thought about configuring the link as L3.
The reason why I am still considering a L2 interface is that I can bind them to an vlan interface which is L3. With the Vlan interfaces i am able to route to different vlans/subnets with the virtual router from Palo. Also with this configuration i am still able to easily attach network devices to the Firewall.
Are there any drawbacks if I consider the L2 configuration method ?
07-05-2019 02:35 AM
07-05-2019 04:31 PM
My preference is to use straight Layer-3 or Layer-3 + subinterfaces. It is more simple & straight-forward to configure, and the great majority of the customers I've worked with use these L3 modes. My rule of thumb is: "use L3 interfaces unless you can articulate the specific reasons why your deployment requires L2 w/ VLAN interfaces".
12-02-2019 03:08 PM
I'm looking to configure Layer 3 subinterfaces with the access layer switches pointing to the subinterface IP as it's gateway. As this is East/West traffic, I am concerned about routing between the "East VLANs" routing to the "West network interfaces". I have all the interfaces in the same virtual router. The firewall isn't operational yet, but hope it works. I cannot find much documentation on this type of configuration.
12-03-2019 01:20 AM
this sounds pretty straight forward, do you have a network design?
if you have all L3 (sub)interfaces, and they're all in the same VR, routing will happen automagically (the routing table will be populated with 'connected' networks and route from the get-go)
08-22-2024 01:02 PM
Good evening,
Please Help find solution with example with L2, L3 sub, L3. West solution.
I find How to Configure a Layer 2 to Layer 3 Connection on the Palo Al... - Knowledge Base - Palo Alto Netw...
But KB missing part of solution.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
