Palo Alto Networks: Layer3 interface

cyruslab Firewall, Security December 13, 2012 1 Minute

Change default interface to routed interface
By default the PA5050 comes pre-configured with virtual-wire pair on ethernet1/1 and ethernet1/2, I would want to change to layer3 instead, layer3 interface is known as routed port.

admin@PA-5050> configure
Entering configuration mode
[edit]
admin@PA-5050# edit network
[edit network]
admin@PA-5050# delete interface ethernet ethernet1/1 virtual-wire

[edit network]
admin@PA-5050# delete interface ethernet ethernet1/2 virtual-wire
admin@PA-5050# set interface ethernet ethernet1/1 layer3 ip 200.1.1.1/30

[edit network]
admin@PA-5050# set interface ethernet ethernet1/2 layer3 ip 192.168.0.1/24

[edit network]
admin@PA-5050# top
[edit]
admin@PA-5050# set zone trust network layer3 ethernet1/2

[edit]
admin@PA-5050# set zone untrust network layer3 ethernet1/1

[edit]
[edit]
admin@PA-5050# commit


....55%99%.....100%
Configuration committed successfully
Interface ethernet1/1 has no virtual-router configuration.
Interface ethernet1/2 has no virtual-router configuration.

[edit]
admin@PA-5050#

Reconfiguration
Supposed you have misconfigured an uncommitted configuration, you cannot simply use the set command and think the configuration will replaced the previous uncommitted configuration. You will have to delete the previously uncommitted configuration first.

The below example demonstrated this, I purposefully configured an IP address that was conflicting with the management interface IP address. However I could not change the configuration simply by using set command.

admin@PA-5050# set interface ethernet ethernet1/2 layer3 ip 192.168.1.1/24

[edit network]
admin@PA-5050# commit
.
Management IP 192.168.1.1 is conflict with regular interface IP address.
Configuration is invalid
[edit network]
admin@PA-5050# set interface ethernet ethernet1/2 layer3 ip 192.168.0.1/24
admin@PA-5050# commit


.
Management IP 192.168.1.1 is conflict with regular interface IP address.
Configuration is invalid

I would first need to delete the previous configuration then set the correct configuration.

[edit]
admin@PA-5050# delete network interface ethernet ethernet1/2 layer3 ip 192.168.1.1/24

[edit]
admin@PA-5050# set network interface ethernet ethernet1/2 layer3 ip 192.168.0.1/24

[edit]
admin@PA-5050# commit


....55%99%.....100%
Configuration committed successfully

Published by cyruslab

View all posts by cyruslab

Published December 13, 2012

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Connecting to %s

%d bloggers like this: