Layer 2 to Layer 3 Connection , but on same Subnet and IP range?

cancel
Showing results for 
Search instead for 
Did you mean: 

Layer 2 to Layer 3 Connection , but on same Subnet and IP range?

L1 Bithead

We have a PaloAlto PA220 at work what is used for telephony/SIP traffic that I  set up  several months ago.

 

Upstream  of the PaloAlto is a  unmanaged L2 netgear switch  what sits  between the leased internet line, the PaloAlto , and a  another non-PaloAlto firewall. I want to get rid of this unmanged L2 netgear  switch and connect our other non-PaloAlto firewall and the Internet leased line directly into the PaloAlto.

 

The thing is is through the PaloAlto has a  external IP of 5.X.X.36/28 and the   non-PaloAlto firewall has a IP of  5.X.X.34/28, and following the guide linked below fails (commit fails) due to   setting the VLAN interface IP to  5.X.X.34/28 overlaps and conflicts with  5.X.X.36/28. Both the PaloAlto and the non-PaloAlto firewall both use the same ISP gateway (5.x.x.33/28.)

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKMCA0

 

How do I get around this issue and  connect our  non-PaloAlto  firewall into the PaloAlto firewall so that the Layer 2 switch can be got rid off.

 

Regards: Elliott.

 

11 REPLIES 11

I would agree with @RobinClayton @OtakarKlier @jeremy.larsen here... this is not simply getting rid of a switch but also redesigning your outbound traffic layer... today, specific traffic (SIP/VoIP) is directed via some kind of route engineering (I assume) to go thru the PA220 and the rest is engineered to go thru CP and bypass the PA220... the proposed design now puts the PA220 in line with the CP and capacity issues aside you still need a common L2 north/south of the CP FWs for HA to work and pushing that to the PA220 is just moving the same functionality to a new spot...

 

If full resiliency is required, you have HA on the CP FWs, then having redundant L2 switches north/south gets you there as a failure on either switch means use lose outbound connectivity regardless of the HA on the CP FWs.

 

On the capacity front it would be recommended to understand the traffic load/rates currently going thru the CP FWs and add that to what the PA220 is currently doing to see if it can handle the additional load, you still would have a SPOF as the PA220 is not in HA...

 

Lots of things to consider, perhaps reaching out to your SE to have a more detailed conversation on this would be a good next step.

I should  mention that what I want to do, we are currently doing  with another/2nd PA-220 that we have that handles  both the 1) gateway for our public Wi-Fi what  2) also feeds our main checkpoint firewall for another connection on the Checkpoint.

 

But in that case the Wi-Fi (using the PalAlto as the layer 3 router) and the   connection to our Checkpoint Firewall (via a layer 2 to layer 3 connection on the Palo Alto) are  using completely different subsets with their own distinct gateway.

 

I was hoping I could do the same thing  with the PaloAlto PA220 that handles the SIP traffic  and the Layer 2 connection from the unmanged switch to the Checkpoint firewall that both  use the same subnet as originally proposed in this thread.

 

Regards: Elliott.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!