Layer 2 vs. Layer 3 Deployment

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Layer 2 vs. Layer 3 Deployment

L0 Member

Hi!

At the moment, I hover between a Layer 2 and Layer 3 Deployment of my PA.

My setup is:

                                                            |     |     |    |

Internet <-> IPSEC-router <-> DMZ <-> internal firewall

                                                            |     |     |    |

My IPSec-router-cluster and the internal firewall need to persist. The internal firewall does route and filter between 23 VLANs/networks.

In the first step, I took my PA-3020 cluster as Layer2-Firwall behind the IPSec-router (Layer 2 instead of VirtualWire to be able to use a Vlan-Trunk), but I do sometimes see high latency and I do not really know why.

Do you think this is a good idea, or should I add a transfer network segment and user Layer 3?

My thoughts:

Layer 2:

pro

     easy deployment

     no change to any device

cons

     sometimes slow and no idea, why

     switches see one mac on two VLANs

Layer 3:

pro:

     easy debugging

cons:

     need to add transfer network

     change of configuration for DMZ-network

     need to maintain routing-table of one additional device

Of course, If I need "Layer 3 features", I can assign another interface of the PA as Layer 3, but is this a good idea, or would a "clean" "just Layer3-setup" be more "future-proof"?

Thank you for your hints

Regards

Phil

3 REPLIES 3

L7 Applicator

PStricker wrote:

(Layer 2 instead of VirtualWire to be able to use a Vlan-Trunk),

You can do Q tags on V-wire in PanOS 5 (think it was introduced in 5.0.4)

I think you have the lay of the land for the differences.  I'll just add another option to complicate things for you.  You could deploy using vsys and have some layer three segments and treat others are v-wire and layer 2.   This could potentially give you the best of both worlds.

I don't see any performance impact on the v-wire deploys we manage.  But I'm not running layer 2 in production to compare.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hi Steven!

Thank you for your answer. Of course, vwire does support Q-tags, but I think, is does only support trunks. In my environment, VLAN A is "Layer 2 outside" and VLAN B is "Layer 2 inside". So my Layer 2 deployment does link two different VLANs of my switches.

It seems to me, Layer 2 deployments with PA are not very popular.

Phil

In your situation I would use a layer 3 deploy.

I also have not seen any pure layer 2 deploys.  It seems that v-wire is the way to go with a true layer 2 insertion.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!