Focus

Layer 3 Interfaces

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Manage Per-VLAN Spanning Tree (PVST+) BPDU Rewrite

Configure Layer 3 Interfaces

Layer 3 Interfaces

In a Layer 3 deployment, the firewall routes traffic between multiple ports. Before you can Configure Layer 3 Interfaces, you must configure the virtual router or logical router that you want the firewall to use to route the traffic for each Layer 3 interface.

If you’re using Security Group Tags (SGTs) in a Cisco TrustSec network, it’s a best practice to deploy inline firewalls in either Layer 2 or virtual wire mode. However, if you need to use a Layer 3 firewall in a Cisco TrustSec network, you should deploy the Layer 3 firewall between two SGT exchange protocol (SXP) peers, and configure the firewall to allow traffic between the SXP peers.

Duplicate IP Address Support

Beginning with PAN-OS^® 11.1.4 and later releases, duplicate (overlapping) IP address support allows you to use the same IP address on multiple firewall interfaces when the interfaces use different logical routers and also use one of the following combinations:

Different zones and the same virtual system.
The same zone and different virtual systems.
Different zones and different virtual systems.

It's important to understand these requirements because if you attempt to configure duplicate addresses on multiple interfaces in the same zone and on the same virtual system, there is no commit failure that prevents the misconfiguration.

Multiple interfaces on the same logical router can't use the same IP address.

PA-1400 Series, VM-Series firewalls, and Panorama template stack support overlapping IP addresses.

Overlapping IP address support requires the Advanced Routing Engine. You enable Advanced Routing; you can then enable Duplicate IP Address Support. Follow the standard procedure to commit and reboot the firewall before you configure duplicate IP addresses.

You can then proceed to Configure Layer 3 Interfaces with duplicate IP addresses. The example topology illustrates the same IP address (192.0.2.5/24) on two interfaces (Ethernet1/3 and Ethernet 1/6) that belong to different logical routers (lr1 and lr6), the same virtual system (VSYS-1), and different zones (l3zone and zone6).

The interfaces can also share IPv6 addresses. The resulting configuration example from the sample topology would be similar to this:

A separate configuration example shows Ethernet1/4 and Ethernet1/8 with overlapping IP addresses configured for different logical routers, different virtual systems, and different zones:

The General Information on the Dashboard displays the firewall setting: Duplicate IP Enabled or Duplicate IP Disabled.

Overlapping IP addresses support both static and dynamically assigned IPv4 and IPv6 addresses. All Layer 3 interface types (Ethernet, VLAN, tunnel, loopback, Aggregate Ethernet [AE], and AE subinterfaces) support overlapping IP addresses. The support includes gateway interfaces.

The management interface does not support overlapping IP addresses.

Overlapping IP addresses are not supported if HA active/active mode is enabled. Such a commit fails with the error message, Duplicate IP is not supported in HA Active/Active mode.

Interfaces that have duplicate IP addresses configured support the following services: Ping, SSH, Telnet, HTTP, and HTTPS. When Duplicate IP Address Support is enabled, the ping and traceroute commands require you to specify a logical router, which differentiates the source IP address among the duplicate addresses. Thus, the response comes back to the correct IP address. Use the CLI operational commands:

ping source ip host ip logical-router logical-router-name
traceroute source ip host ip logical-router logical-router-name

You can access Interface Management Profile services through interfaces that have overlapping IP addresses.

Inter-vsys routing supports overlapping IP addresses so that you can route between virtual systems.

Additional CLI commands related to duplicate IP address support are:

set deviceconfig setting duplicate-ip <yes|no>
Enable or disable duplicate IP address support.
show system info
View the Duplicate IP setting (Enabled or Disabled).
show counter global name session_duplicate_ip_alt_srcnat_xlat
View counters for duplicate-ip alt source NAT translation.

The first topic linked below describes how to configure Layer 3 interfaces. The latter topic link describes how to use Neighbor Discovery Protocol (NDP) to provision IPv6 hosts and view the IPv6 addresses of devices on the link local network to quickly locate devices.

Manage Per-VLAN Spanning Tree (PVST+) BPDU Rewrite

Configure Layer 3 Interfaces

Next-Generation Firewall Docs

Layer 3 Interfaces

Next-Generation Firewall Docs

Layer 3 Interfaces

Duplicate IP Address Support

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner