Palo Alto Layer 2 bridging

cancel
Showing results for 
Search instead for 
Did you mean: 

Palo Alto Layer 2 bridging

L3 Networker

Any idea on when or if PAN is going to produce the functionality to do layer 2 bridging (example, traffic on vlan 300 would be directed to vlan 3000...etc? Right now the function only seems to be possible when in conjunction with a physical interface per bridge which isn't scalable for lots of vlans like a DC. Another option is enabling the function to bridge in vwire mode 2 different vlan tags.

1 ACCEPTED SOLUTION

Accepted Solutions

L0 Member

I Found The Solution :

I am using topologi Like this. In Core Router i have VLAN10 with network 172.25.10.0/24. Between Distribution Switch and Server Switch I Installed Palo Alto to translate VLAN10 to VLAN1010. My Server Using VLAN1010 172.25.10.10 and still can connected to Gateway Core Router 172.25.10.1 with VLAN10. 

7.jpg

1. Create Sub Interface in 2 Physical Interface with different vlan tag like this picture. In this Picture i translate vlan 10 to vlan 1010 with same network 172.25.10.0/24

ismunandi_0-1614750948941.jpeg

 

2. In All Sub Interface create Vlan Group like this picture.

ismunandi_1-1614750948573.jpeg

 

3. And result of the Vlan Group. In VLAN Group we can see there are two sub interface with different vlan tagging.

ismunandi_2-1614750949121.jpeg

 

4. You can see in picture at point 1, I give two different zone at sub interface ethernet1/3.10 and ethernet1/4.1010.

5. And the result we can inspect traffic inggress and eggress from ethernet1/3.10 and ethernet1/4.1010 like this picture. Look at hit count on policy rule number one. Same Network IP with Different Zone and different VLAN Tagging :

ismunandi_3-1614750949229.jpeg

 

 

View solution in original post

7 REPLIES 7

L3 Networker

This is doable today, by using 802.1q for the two vlans you mention, with subinterfaces. and use the same vlan number for both. In that way, these two vlans are connected. No redirect. No rewrite. But connected together.

Cyber Elite
Cyber Elite

This has been possible for a long time already, please check out this article : Getting Started: Layer 2 Interfaces

Tom Piens
PANgurus

The problem I found with this however was the dependency on each bridge/rewrite interface group is per physical interface. For example if I create a vlan bridge between 2 different tagged sub-interfaces (aka e1/1.200 and e1/1.300) I have to create the bridge with not only .200 and .300, but with the physical interface e1/1 as well. This limits the scalability of this to the number of pyhsical interfaces available. It would be great if you could create bridges without the physical interface dependency.

L0 Member

I Found The Solution :

I am using topologi Like this. In Core Router i have VLAN10 with network 172.25.10.0/24. Between Distribution Switch and Server Switch I Installed Palo Alto to translate VLAN10 to VLAN1010. My Server Using VLAN1010 172.25.10.10 and still can connected to Gateway Core Router 172.25.10.1 with VLAN10. 

7.jpg

1. Create Sub Interface in 2 Physical Interface with different vlan tag like this picture. In this Picture i translate vlan 10 to vlan 1010 with same network 172.25.10.0/24

ismunandi_0-1614750948941.jpeg

 

2. In All Sub Interface create Vlan Group like this picture.

ismunandi_1-1614750948573.jpeg

 

3. And result of the Vlan Group. In VLAN Group we can see there are two sub interface with different vlan tagging.

ismunandi_2-1614750949121.jpeg

 

4. You can see in picture at point 1, I give two different zone at sub interface ethernet1/3.10 and ethernet1/4.1010.

5. And the result we can inspect traffic inggress and eggress from ethernet1/3.10 and ethernet1/4.1010 like this picture. Look at hit count on policy rule number one. Same Network IP with Different Zone and different VLAN Tagging :

ismunandi_3-1614750949229.jpeg

 

 

View solution in original post

This screen shot is missing some important details. Line 2 shows IP 172.16.15.92 sending to 172.25.10.10 and it is allowed.  Was this a successful 2 way communication? When the source and destination  networks are different, the source arps for its default gateway. 172.25.10.10 would not be the gateway unless this was a /8 mask.   I understand how this can work if all devices are on the same subnet. PAN is just modifying the tag and passing arp, and everything else to the other interface. Should that second session be blocked out to avoid confusion or am I missing something?

You must understand how it works from what I describe and please try it yourself. The second line is the rule that allows 172.16.15.92 access to 172.25.10.10. if you want 172.25.10.10 to be able to access 172.16.15.92 then you have to open access in reverse as in the third line. One more thing, even though 172.25.10.10 and 172.25.10.1 are on the same network they cannot ping each other and access service ports if they are not given permission because they are in different zones (remember this is a bridging vlan with different interfaces and zones). You have to be more careful and better understand the picture that I provide. Please do the simulation in your own lab and you will understand.

L0 Member

In a Layer 2 deployment, the firewall provides switching between two or more networks. Devices are connected to a Layer 2 segment; the firewall forwards the frames to the proper port, which is associated with the MAC address identified in the frame. Configure a Layer 2 Interface when switching is required.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!