Palo Alto Layer 2 bridging

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
Gun-Slinger
L3 Networker

Palo Alto Layer 2 bridging

Any idea on when or if PAN is going to produce the functionality to do layer 2 bridging (example, traffic on vlan 300 would be directed to vlan 3000...etc? Right now the function only seems to be possible when in conjunction with a physical interface per bridge which isn't scalable for lots of vlans like a DC. Another option is enabling the function to bridge in vwire mode 2 different vlan tags.


Accepted Solutions
ismunandi
L0 Member

I Found The Solution :

I am using topologi Like this. In Core Router i have VLAN10 with network 172.25.10.0/24. Between Distribution Switch and Server Switch I Installed Palo Alto to translate VLAN10 to VLAN1010. My Server Using VLAN1010 172.25.10.10 and still can connected to Gateway Core Router 172.25.10.1 with VLAN10. 

7.jpg

1. Create Sub Interface in 2 Physical Interface with different vlan tag like this picture. In this Picture i translate vlan 10 to vlan 1010 with same network 172.25.10.0/24

ismunandi_0-1614750948941.jpeg

 

2. In All Sub Interface create Vlan Group like this picture.

ismunandi_1-1614750948573.jpeg

 

3. And result of the Vlan Group. In VLAN Group we can see there are two sub interface with different vlan tagging.

ismunandi_2-1614750949121.jpeg

 

4. You can see in picture at point 1, I give two different zone at sub interface ethernet1/3.10 and ethernet1/4.1010.

5. And the result we can inspect traffic inggress and eggress from ethernet1/3.10 and ethernet1/4.1010 like this picture. Look at hit count on policy rule number one. Same Network IP with Different Zone and different VLAN Tagging :

ismunandi_3-1614750949229.jpeg

 

 

View solution in original post


All Replies
gtomte
L3 Networker

This is doable today, by using 802.1q for the two vlans you mention, with subinterfaces. and use the same vlan number for both. In that way, these two vlans are connected. No redirect. No rewrite. But connected together.

reaper
L7 Applicator

This has been possible for a long time already, please check out this article : Getting Started: Layer 2 Interfaces

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
Gun-Slinger
L3 Networker

The problem I found with this however was the dependency on each bridge/rewrite interface group is per physical interface. For example if I create a vlan bridge between 2 different tagged sub-interfaces (aka e1/1.200 and e1/1.300) I have to create the bridge with not only .200 and .300, but with the physical interface e1/1 as well. This limits the scalability of this to the number of pyhsical interfaces available. It would be great if you could create bridges without the physical interface dependency.

ismunandi
L0 Member

I Found The Solution :

I am using topologi Like this. In Core Router i have VLAN10 with network 172.25.10.0/24. Between Distribution Switch and Server Switch I Installed Palo Alto to translate VLAN10 to VLAN1010. My Server Using VLAN1010 172.25.10.10 and still can connected to Gateway Core Router 172.25.10.1 with VLAN10. 

7.jpg

1. Create Sub Interface in 2 Physical Interface with different vlan tag like this picture. In this Picture i translate vlan 10 to vlan 1010 with same network 172.25.10.0/24

ismunandi_0-1614750948941.jpeg

 

2. In All Sub Interface create Vlan Group like this picture.

ismunandi_1-1614750948573.jpeg

 

3. And result of the Vlan Group. In VLAN Group we can see there are two sub interface with different vlan tagging.

ismunandi_2-1614750949121.jpeg

 

4. You can see in picture at point 1, I give two different zone at sub interface ethernet1/3.10 and ethernet1/4.1010.

5. And the result we can inspect traffic inggress and eggress from ethernet1/3.10 and ethernet1/4.1010 like this picture. Look at hit count on policy rule number one. Same Network IP with Different Zone and different VLAN Tagging :

ismunandi_3-1614750949229.jpeg

 

 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!