Layer 2 to Layer 3 Connection , but on same Subnet and IP range?

Reply
Highlighted
L1 Bithead

Layer 2 to Layer 3 Connection , but on same Subnet and IP range?

We have a PaloAlto PA220 at work what is used for telephony/SIP traffic that I  set up  several months ago.

 

Upstream  of the PaloAlto is a  unmanaged L2 netgear switch  what sits  between the leased internet line, the PaloAlto , and a  another non-PaloAlto firewall. I want to get rid of this unmanged L2 netgear  switch and connect our other non-PaloAlto firewall and the Internet leased line directly into the PaloAlto.

 

The thing is is through the PaloAlto has a  external IP of 5.X.X.36/28 and the   non-PaloAlto firewall has a IP of  5.X.X.34/28, and following the guide linked below fails (commit fails) due to   setting the VLAN interface IP to  5.X.X.34/28 overlaps and conflicts with  5.X.X.36/28. Both the PaloAlto and the non-PaloAlto firewall both use the same ISP gateway (5.x.x.33/28.)

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKMCA0

 

How do I get around this issue and  connect our  non-PaloAlto  firewall into the PaloAlto firewall so that the Layer 2 switch can be got rid off.

 

Regards: Elliott.

 

Highlighted
L4 Transporter

Re: Layer 2 to Layer 3 Connection , but on same Subnet and IP range?

If the other firewall has 5.X.X.34 , then it's going to conflict if both are the same?? Or are you getting rid of the other firewall?

 

Rob

Highlighted
L1 Bithead

Re: Layer 2 to Layer 3 Connection , but on same Subnet and IP range?

The other firewall is our main corporate Checkpoint branded firewall and can not be got rid of. Yes it uses a IP on the same subnet and the same default gateway as the PaloAlto firewall.

 

I essentially want to integrate the layer 2 switch into the PaloAlto so the layer 2 switch is not needed anymore.

 

Regards: Elliott

Highlighted
L4 Transporter

Re: Layer 2 to Layer 3 Connection , but on same Subnet and IP range?

I don't think you've provided enough information here for people to help you.  A diagram would be nice.  I am guessing you want to use your PA-220 as a switch just so you can remove some equipment.  On the surface, you can do this but it sounds like a really bad idea.  Is there a technical reason you want to remove this switch?

Highlighted
L4 Transporter

Re: Layer 2 to Layer 3 Connection , but on same Subnet and IP range?

So the L2 Switch has the

 

Internet on one port.

PA on another port

Checkpoint on another port. 

 

All there  in the same vlan.

 

Personally that's how I intend my external infrastructure to be, I can then have multiple ISP's and trusted their part circuits  on different VLANS going to any combination of firewalls.

 

Highlighted
L2 Linker

Re: Layer 2 to Layer 3 Connection , but on same Subnet and IP range?

@RobinClayton so, I think the issue you are having is that you are trying to prestage the PA220 by creating the second interface in the same subnet before you deprecate the existing one... if this is the case that explains the error as PANOS will not let you do that in the same VR IIRC.

 

As for removing the L2 switch and directly connecting that should be OK, based on what we know at this point, so long as your upstream CP FW is not in HA and doesn't need a common L2 to accommodate... 

 

Assuming below is a simple representation:

 

simplediagram.png

The L2 switch should not be needed... could you just leave the configs as-is and directly connect the CP/PA FWs directly?

Highlighted
L1 Bithead

Re: Layer 2 to Layer 3 Connection , but on same Subnet and IP range?

Please see below  for the topology diagrams.  It is to note the Checkpoint firewall can not be changed and  is out of my control.

 

The PaloAlto  firewall servers as the route for SIP/VOIP traffic, and the Checkpoint firewall servers as  the route for  all other traffic.

 

Current Topology:

Current-topology.jpg

Wanted Topology:

 

Wanted-topology.jpg

 

Regards: Elliott.

Highlighted
L4 Transporter

Re: Layer 2 to Layer 3 Connection , but on same Subnet and IP range?

If it were me, I would prefer the setup you currently have over the proposed.  I'm still trying to see what you are trying to accomplish or gain here.  I don't like forcing Layer 2 through a PAN.  You can do it but I wouldn't unless I was forced.

Highlighted
Cyber Elite

Re: Layer 2 to Layer 3 Connection , but on same Subnet and IP range?

Hello,

In all honesty, I dont think your 220 could handle the traffic. And you might not have enough ports to do vwire plus you would still need a switch between the pan and leased line. If you made the PAN interfaces L2, you still need a L3 interface for it to route the sip traffic so you would need a L3 vlan interface for that.

 

However depending on the traffic through the CheckPoints, i still dont think the PAN could handle the traffic.

 

Regards,

Highlighted
L4 Transporter

Re: Layer 2 to Layer 3 Connection , but on same Subnet and IP range?

Otakar eludes to the V-Wire, which would allow traffic to traverse the PA seamlessly, but in that scenario, as he points out, you would need bot a trusted and untrusted v-wire ports. And the untrusted v-wire and external interface still both need to connect to the Leased line somehow.

 

The present setup is really correct for most instances. 

 

Or are you trying to get rid of £$  threat inspection licences on the checkpoint and put that into the PA??

 

Rob

 

 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!