Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Layer 2 Interfaces with No VLANs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Layer 2 Interfaces with No VLANs

L1 Bithead

Hi,

 

I have created following topology in PA (10.1.0) virtual lab to test "Layer 2 Interfaces with No VLANs".

 

Topology :- PC-1 --> L2 INT(None) - PA-VM - L2 INT(None) --> PC-2

 

I'm unable to establish connectivity between PC-1 and PC-2. Both Ingress/Egress interface configured under same zone. 

 

Also, while capturing the traffic I observed, the ARP request (Broadcast) sent by the PC-1 was dropped on PA. But as per the PA admin guide, it should broadcasts the unknown frame to all of its Layer 2 interfaces. why firewall not forwarding unknown/broadcast frames to other L2 interfaces?

 

MageshKumarG_0-1714542313986.png

 

 

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @MageshKumarG ,

 

It is too bad the documentation is not more clear.  That would be an easier way to configure a trunk.  The way I know requires you to configure a L2 sub-interface for each VLAN that you want to trunk.  The nice thing about that method is that you can attach different zones to each sub-interface and have different policies for each VLAN.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Hi @MageshKumarG ,

 

Wow!  This is the 1st time I have seen this -> https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/configure-interfaces/layer-2-i....

 

Is this an 11.0 feature?

 

I would go ahead and assign the interfaces to the same VLAN, and it should work fine.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Hi @TomYoung 

 

Yes. If we use same VLAN on both Ingress/Egress interface, we can able to establish connectivity between same network.

My queries regarding "NO VLAN" i.e. NONE feature in PA. What NONE means? I hope it act like Trunk port.

In layer 2 devices, the traffic between trunk ports is permitted. VLAN ID is not mandatory in Layer 2 devices. Is same applicable to PA as well?

This feature listed in old version also, I'm referring version 10.1 admin guide.

 

Thanks.

 

Magesh

Cyber Elite
Cyber Elite

Hi @MageshKumarG ,

 

It is too bad the documentation is not more clear.  That would be an easier way to configure a trunk.  The way I know requires you to configure a L2 sub-interface for each VLAN that you want to trunk.  The nice thing about that method is that you can attach different zones to each sub-interface and have different policies for each VLAN.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Hi @TomYoung 

 

Yes. You are right. We can configure both ingress and egress interface in same VLAN ports and make connectivity between them.

I just want to test "L2 NONE" option in PA. I'm new to PA, so I taught, it acts same like trunk ports, may be its processing the traffic differently.

 

Thanks.

 

Magesh

  • 1 accepted solution
  • 1949 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!