07-07-2014 04:27 AM
Hi!
At the moment, I hover between a Layer 2 and Layer 3 Deployment of my PA.
My setup is:
| | | |
Internet <-> IPSEC-router <-> DMZ <-> internal firewall
| | | |
My IPSec-router-cluster and the internal firewall need to persist. The internal firewall does route and filter between 23 VLANs/networks.
In the first step, I took my PA-3020 cluster as Layer2-Firwall behind the IPSec-router (Layer 2 instead of VirtualWire to be able to use a Vlan-Trunk), but I do sometimes see high latency and I do not really know why.
Do you think this is a good idea, or should I add a transfer network segment and user Layer 3?
My thoughts:
Layer 2:
pro
easy deployment
no change to any device
cons
sometimes slow and no idea, why
switches see one mac on two VLANs
Layer 3:
pro:
easy debugging
cons:
need to add transfer network
change of configuration for DMZ-network
need to maintain routing-table of one additional device
Of course, If I need "Layer 3 features", I can assign another interface of the PA as Layer 3, but is this a good idea, or would a "clean" "just Layer3-setup" be more "future-proof"?
Thank you for your hints
Regards
Phil
07-07-2014 04:37 AM
PStricker wrote:
(Layer 2 instead of VirtualWire to be able to use a Vlan-Trunk),
You can do Q tags on V-wire in PanOS 5 (think it was introduced in 5.0.4)
I think you have the lay of the land for the differences. I'll just add another option to complicate things for you. You could deploy using vsys and have some layer three segments and treat others are v-wire and layer 2. This could potentially give you the best of both worlds.
I don't see any performance impact on the v-wire deploys we manage. But I'm not running layer 2 in production to compare.
07-07-2014 04:58 AM
Hi Steven!
Thank you for your answer. Of course, vwire does support Q-tags, but I think, is does only support trunks. In my environment, VLAN A is "Layer 2 outside" and VLAN B is "Layer 2 inside". So my Layer 2 deployment does link two different VLANs of my switches.
It seems to me, Layer 2 deployments with PA are not very popular.
Phil
07-07-2014 02:57 PM
In your situation I would use a layer 3 deploy.
I also have not seen any pure layer 2 deploys. It seems that v-wire is the way to go with a true layer 2 insertion.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
