Pass Palo Alto Networks PCNSE Exam in First Attempt Easily
Latest Palo Alto Networks PCNSE Practice Test Questions, Exam Dumps
Accurate & Verified Answers As Experienced in the Actual Test!
Check our Last Week Results!
- Premium File 571 Questions & Answers
Last Update: Dec 5, 2023
- Training Course 142 Lectures
- Study Guide 122 Pages
Download Free Palo Alto Networks PCNSE Exam Dumps, Practice Test
|palo alto networks
|palo alto networks
|palo alto networks
|palo alto networks
|palo alto networks
|palo alto networks
|palo alto networks
|palo alto networks
|palo alto networks
|palo alto networks
|palo alto networks
Free VCE files for Palo Alto Networks PCNSE certification practice test questions and answers, exam dumps are uploaded by real users who have taken the exam recently. Download the latest PCNSE Palo Alto Networks Certified Network Security Engineer certification exam practice test questions and answers and sign up for free on Exam-Labs.
Palo Alto Networks PCNSE Practice Test Questions, Palo Alto Networks PCNSE Exam dumps
Paloalto Intro and Deployment Options
1. Palo Alto Firewalls overview
Welcome. In this lecture, we will get an overview of the Palo Alto Platform Architecture. The Palo Alto Firewall is a different firewall. They basically coined the next generation firewall." The Legacy Firewall made its decision based on protocols and ports. They did very simple inspection on the packets, but they didn't go deeper into the packet to determine different types of applications. Palo Alto came up with the idea of identifying applications on the network. The legacy firewall just allowed TCP and UDP ICMP ports and protocols. It did not identify the applications like the Palo Alto firewall, which goes beyond protocols and ports by looking inside the packet and identifying the traffic based on signatures. So for example, you could have traffic going on port 443 and port 80. But Palo Alto is smart enough to identify them based on traffic signatures. If this traffic is Facebook, YouTube, Google Apps, or any other application, it looks beyond the ports and protocols to identify what type of applications are writing inside the traffic. The app ID is the functionality that looks at the traffic and matches it against signatures to identify the content of the traffic. It is not just relying on ports and protocols;
it is also able to identify evasive applications. an application like Skype, for example. This application can use any available port and bypasses any firewall restrictions you have in place. If you have the Palo Alto Firewall, it will be able to identify that this traffic going over port 80 or 43 is Skype traffic. And if Skype is blocked, it will not allow this traffic. So this is the feature for identifying evasive applications. Some other applications, like peer-to-peer applications and other applications, also use the same method. They get around security by using any available ports to achieve the connection. The Content ID is with the component that allows the firewall to scan for threats like vulnerabilities, viruses, spyware, and intrusion prevention. It also checks for data leakage like Social Security numbers, credit card numbers, and files. It is also able to do URL and web filtering by looking at the content and the URL that the users are trying to access.
User ID is the third component that allows you to identify not only what type of traffic, it also will allow you to identify the user ID behind that traffic. This would allow you to make restrictions based on users, not only on applications, ports, and protocols. You can allow some users to access some applications, and for other users, you can deny them. That gives you more control over the traffic, and you can base your decision on user application and content. The power of differentiation lies in application identification. User ID and Content ID are done in a single pass, meaning the packet is processed once against the application ID, the User ID, and the Content ID. The policy engine does not need to examine the package during its transit to send it to different processes. It does this all in a single pass, and that's the differentiation.
Also, the Palo Alto Firewall control plane is separate from a data plane. The control plane typically has its own processor to prevent the control plane from overrunning the data plane and causing packet drops. The control plane separation from the data plane is also a very nice feature in the Palo Alto Firewall. The Palo Alto Firewall is packed with features from a network perspective. It allows you to do routing using BGP, OSPF, and RIP. It allows you to configure the firewall in different ways. You can configure it as a virtual wire bump on a wire. You can configure it as a TAP to get a copy of the traffic and analyse the traffic this way. You can also configure it in a layer 2 or layer 3 configuration. It also does VPN pretty well. It allows you to configure it for side-to-side VPN and remote access. It does pretty much all the firewallfeatures that are available in other vendors. But from my opinion, it does it much better. It does QoS by doing traffic shaping. It has the concept of virtual systems. If you are familiar with the Cisco Firewalls, this is referred to as "virtual context."
Or you can partition the firewall into multiple logical firewalls. This way, you can use the same box for different purposes. It has a very flexible management interface. You can manage the firewall using the CLI, which is pretty powerful. You can use the web or you can use the management platform that is referred to as Panorama. We're going to look at the different platforms that the Palo Alto Firewalls offer. You have a whole slew of firewalls available all the way from the home office firewalls, the PA200, which gives you 100 megabits of throughput, to the PA 750, which gives you 120 gigabits of throughput. There are also virtual machines available. You have the VM 100. That gives you one gigabit of throughput.
You have the VM 200 and the VM 300. When it comes to threat prevention throughput, the threat prevention provides virus detection, intrusion prevention, anti-malware, and content ID URL filtering features. The Palo Alto PA 200 can do up to 50 megabits with all the features turned on. The PA 1050 goes up to 60 gigabits. And we can see from the different platforms the type of throughput that can be achieved with each different platform.It also depends on the number of connections per second. The PA 200 can give you 1000 connections per second; the PA can give you 720,000 connections per second. The number of sessions also matters. The PA 200 gives you 64,000 maximum sessions, and the PA 2050 gives you 24 million sessions. In this lecture, we'll give you an overview of the Palo Alto Firewalls. We explore the different platforms that are available. We're going to get into more details in the next lectures.
2. Deployment Options
In the first section, we're talking about the deployment of the Palo Alto Firewall. And this is an important concept to be aware of in terms of how the Palo Alto Firewall can be deployed in your environment. The Palo Alto Firewall is rich in deployment methods. It has a wide range of capabilities in terms of how it can be deployed in your network. The first deployment type that is pretty easy to implement is a tap mode. Tap mode is typically utilized to evaluate the Palo Alto Firewall and see its capability. What happens is that you can monitor the traffic that's going to the existing Legacy Firewall and copy that traffic to the Palo Alto Firewall. And the Palata Firewall would analyze it for threats. and you can see what the capabilities of the auto firewall are. However, you cannot block traffic because you're only getting a copy of it; you're not in the path of the traffic. And then you have a virtual wire. Virtual Wire allows you to connect two segments, while other vendors offer transparent mode, bump and wire inline mode, and traffic blocking. And it's a good transition moving from a legacy firewall to the Pal Alto Firewall because you can put the Pal Alto Firewall in the middle, behind the legacy Firewall and Take a look at the traffic, and then look at the rules and tweak your rules. And then once you're ready, you can change it to a different mode and replace the legacy firewall. In layer-three mode, the firewall is acting as a layer-three router, putting itself in the middle of the traffic by virtue of being a layer-three hop. And it watches the traffic as it comes into the palace of the file wall and leaves the palace of our wall. And you can block traffic and have it act as an enforcement point.
Layer-two deployment allows you to put the fire wall in layer-two mode, meaning that it can break a segment, and it's kind of similar to the Virtual Wire mode. But the difference between layer-two mode and Virtual Wire is that you can have a layer-three interface attached to the VLAN, and by virtue of that, you can have the firewall act as a layer-three switch. As a result, it can be implemented as a layer two only, which is very similar to Virtual Wire. It can be a layer-two implementation with a layer-three implementation, which is basically like a layer-three switch. So in this section, we will look at each one of the deployments and how to deploy it with examples and showing you examples on how to deploy in each type of situation. That's kind of a starting point. Then in section two, we're going to talk about how to set up your own Amazon instance and how to set up an environment in your home lab to test out the Palo Alto features. Let's keep going, and I'll see you in the next lecture.
3. Layer 2 deployment
So let's lecture; we will talk about layer two. Different applications can be used by going over the top of interfaces in the case of layer-two interfaces. Here you have layer two, layer threetap, virtual wire NHA, and layer two interfaces. You have a VLAN attached to this interface. You have two type of VLANs, you havea layer two VLAN, layer two and thenyou have a layer three VLAN interface. Layer-two interfaces give you a lot of flexibility as far as what you can do in your environment. So one example would be to have a firewall with multiple interfaces. Each interface, let's say, has a different type of server, and all those are on the same VLAN.
The first interface has the email servers, the second interface has the web servers, the third interface has the load balancers, and then they're all in the same VLAN. However, traffic going from one type of server to the other goes to the firewall. So each interface is in its own security zone. We're going to explain security zones in a later section, but a security zone is a segment that combines hosts with the same security requirements. So in this case, I have those three interfaces. The three interfaces are in layer two, and they can communicate with each other, but each interface is in a different security zone. So I can control traffic going from the mailserver to the web server, from the web server to the load balancer, and vice versa. So I have complete control over the traffic going across. So those interfaces are layer-two interfaces, and they are connected to a VLAN, and this is the layer-two VLAN. So that's an example, right?
You can have the router configured on another layer-two interface. So in order for those segments to get out, they would need to get to the router through the layer-2 VLAN; the routers are in the same layer-2 VLAN; and then they get out through the router. However, the Palo Alto Firewall has a layer three VLAN that gives you the ability to get out and route traffic from a layer two VLAN to the outside. So instead of connecting the router to an interface that's there too, you can have the router interface on the firewall itself. So in this case, we would have the same set up.Here I have my servers; they're all connected. There two interfaces and the layer two interfaces. Each interface is in different security zone controlling thetraffic between the different type of servers and they'reall in the same layer two VLAN. And then you have a layer three VLAN or layer three VLAN interface that will be the default gateway for those servers. If the server wants to connect to the internet, it will first connect to the layer-3 VLAN and then route the traffic to another layer-3 VLAN or an Ethernet layer-3 interface. You have the flexibility to do that. There's also another scenario for doing layer-two VLANs. You can put the firewall transparently in the path of the traffic. So let's say you have a segment that has servers and you want to introduce the Palo Alto file to see what's going on.
Let's say you have a malicious attack or something going on and you want to introduce the Palo Alto Firewall. You can basically split the segment in half and then connect the segment to the Palo Alto firewall here at layer two and then on a different layer two interface, and then basically create a layer two VLAN on the firewall that will basically bridge the traffic between the two interfaces. And this way, you put yourself in the middle without using a virtual wire. So this could be something you can do. So it's not only limited to just one VLAN; you can have multiple VLANs on the same layer-two interface. And the way you do this isbasically you create a layer two. Let's say this interface is a layer-two interface. On this layer-two interface, I have VLAN 100, which is my default VLAN, and I want to also trunk VLAN 200. So, basically, I'd create a sub-interface here for VLAN 200 and a sub-interface here for VLAN 200. So traffic from the same interface Ican have multiple VLANs going across andhave the firewall be in the middle. So that's another scenario.
So we'll simulate those examples in the Unit Lab. Section 2 discusses Unit Lab. So on Unit Lab, you log into the web interface and then click on "Add New Lab." And then we're going to call this layer deployment, click on it, and then open. And then the first thing we have to do is create a network for PS Net Zero, which is a bridge interface through your existing network. And then we're going to create a Palo Alto node, and then we're going to connect the management interface so we can manage the firewall, and then we're going to connect Ethernet one to the network. So what we're going to do here is bridgethe network, use layer two interface to bridge myhome network basically and bridge that to different interfaceon the firewall using layer two interfaces. So Ethernet One will be the outside interface, and then I'm going to create a new node here, test Linux nodes, add Linux nodes, and use Tiny Core. I'm going to increase this to 256 M of RAM and connect it to the firewall's Ethernet 1 and 2. So here, basically, Ethernet is my home network, and then Ethernet is where the Linux machine is. And this is going to be a layer-two interface. Layer two interface This is in a security zone; we'll call this inside, and this is outside.
And we will use the VLAN interface to connect the two interfaces together. And this is layer two. So right now, we're talking only about layer two. This allows traffic to pass through while the firewall in the middle protects whatever is behind it. So let's go ahead and start the VM. So now that it's started, I'm going to connect to it, manage it, and give it an IP address so I can manage it. Log in, then configure set device config IPaddress system IP address that mask commit. Now I should be able to access it from here. Once you log in, you go to interfaces, interfaces, and then ethernet one; that's the outside interface. We're going to click on it and change it to layer two and then VLAN. We'll make a security zone outside and then click okay, but first we'll bring up the interface and then ethernet one, two, that's the inside facing the Linux VM home. And then we're going to create a new zone called "inside" and then use advanced to bring the interface up. Then we'll create a security policy that allows everything (source, destination, and zeny action) and then click commit. If I reboot it once it's finished installing here, I can then boot up the Linux machine and connect to it.
And I should be able to get to the Internet. I'm going to go to an application terminal. If configured, I have an IP address, www.google.com. So traffic is going through the firewall, and it's basically Layer 2 VLAN inside out. So that's basically an example of layer two deployment and bridging two interfaces on the same VLAN. So in my next step here, I'm going to simulate having interfaces on multiple VLANs. So I'm going to create a switch switch.So we're going to add a Cisco IOS 37-25 and use the NMS-16E switch to do the switching. We're going to give it the icon switch, layer three, and then we're going to make two and call them switch, and then we're going to save. So now I have a layer three switch here and three switches there. To simulate my trunking, I'm going to connect ethernet and paste Internet Zero here. I need to expand the number of interfaces. So let me expand the number of interfaces first. Edit, edit, and then make it eight interfaces, and I'm going to stop and restart, and then I'm going to go ahead and connect the switch. So let's draw it out.
Here we'll have the default VLAN, and then we'll have a sub interface for VLAN 100. We're going to put Linux machines here, Linux machines here, and Linux machines here and verify that they can talk to each other. because this is layer two. We need to assign static IP addresses to the machine. So I'll show you how to do that. So I'm going to go ahead and connect is connected to one. Let me change it. Go ahead and delete that. Make Zero one, f zero one. And then I'm going to add four Linux Tiny Cores; make sure you change it to something small. So I have four years, and I'm going to connect a tiny seven years to Ethernet. That's going to be VLAN one, and that's going to be VLAN 100. And then this is VLAN 1, and this is VLAN 100. So now I'm going to configure the switch. I'm going to take it off, connect mode start. That's why you need a beefy machine, because otherwise your machine will show. My goal here is to be able to pass traffic across the Vlad using sub interface, which is essentially trucking.
So this interface will be a trunk interface, this interface will be trunk interface and the firewall will have the main interface with the default VLAN and the sub interface with VLAN 100. The main interface is configured with the default VLAN, and the sub interface is configured with VLAN 100. We'll assign IP addresses statically here so we can ping across and assign IP addresses so we can bring across, and that will show you that layer two with trunk. So you can have a trunk instead of just one VLAN on a port. So let's go back to the firewall. Probably need to reconnect and then I'm going to configure the network Ethernet one three. So that's going to be my inside layer 2, and that's going to be my outside. I'm going to create a new VLAN.
We'll call this VLAN default switch security zone outside and then bring it up. And then I'm going to click on add sub interface here, see? Add a sub interface to create a sub interface for VLAN 100 Ethernet, and then tag it—that's the one Q tag and VLAN—we're going to choose a new VLAN because that's VLAN 100 switch, and then security zone outside as well. So I have subintervice created Ethernet one four. I'm going to do the same. Make it a two-layer VLAN. That's a VLAN default switch security zone. is inside advanced bring it up. Okay? And then add sub interface VLAN 100, tag 100. The VLAN is VLAN 100 switch, and then this is inside, and then, okay, did I bring it up? So, as you can see, this is the untagged version. The untagged will come in on that interface.
This is the tag with tag 100 that will come in this interface, and the firewall will basically bridge what's coming in from the untagged on Ethernet one three to what's coming in to go out Ethernet what's coming in to go out Ethernet what's coming in tagged 100 on Ethernet one three to go out Ethernet one four sub benefice 100 tag with 100. So that's basically the idea. So we're going to go ahead and commit, and then now we need to configure the switch faster than one, which is the trunk interface interface fast. That probably has to be the switch interface. That'd be Module One. So I need to change that. So let me go ahead, and I need to stop it and then basically start it again. Change the interface assignment, edit interfaces, and I'm going to disconnect this one and then click. Okay, I'm going to disconnect this one too. Then I'm going to connect it again. But I'm going to connect it to connect mode and then reconnect it; I need to stop this one as well. It's committed. So I just need to stop the firewall and start it again in connect mode. And then I'm going to disconnect this one. And then I'm going to connect. And then I'm going to run the file overtime and start the switch one more time.
Okay, so let's connect to the switch now. And then, basically, we need to confirm this interface for one and two as a trunk database. We're going to first create a VLAN database. VLAN 100, 100 exit, and then configure interfaces. F one, two switchboards, more trunk switchboards Basically, trunks are allowed. Vlad all. But going to go ahead and put spanning tree port fest. Okay. And then I'm going to configure this to be an access port on VLAN 100. Switch port access to VLAN 100, ma'am, and then switch four and do the same FFT interface. F one, two, switchboard. Well, I have to create the VLAN first. VLAN database. VLAN 100. And then I'm going to connect to 27 and 4. Now they are connected across the firewall.
So I'll connect to port 27, and then go to terminal and configure the IP address of the interface to the su. Okay, so that's up to that one. So I had to power off all the machines and power them back on again because sometimes when you add interfaces, it just acts up. So right now we see it in the middle. So I have five tiny people talking to each other. I'm going to configure "tiny eight and six." So that's going to be Sudosuifconfigone, eight, two, and 68. That's on VLAN 100. Configure this su command. If config two, mask 245-24-5250. And then I'm going to go ahead and ping the other side, so I can ping it. So I have a CLI open, and I can see here the actual traffic going across the pings. If I do show session ID, one of the sessions should see here that ingress interfaces, ethernet 100. Ingress's interface is Ethernet 100. It's hitting the rule, it's identifying the application, and it's recording the flow. So it's a great way to put the Palo Alto firewall in the middle of your network while causing only minor disruption and having the firewall across the network.
And then, if you have a situation in which one way you can do this is that you have a switch environment, multiple VLANs, and multiple switches, correct? So you have switches, and you have multiple switches in your environment, so you basically have multiple villains. This is a trunk. This is a trunk. You can put the firewall on this side, assuming that the active trunk is this guy here. You can put the firewall on this side and then pay for the VLANs. If you do spanning tree changes, you can do spanning tree changes and gracefully move it to the other side and then put the firewall here. So then you have the firewall covering your entire neck roof. So let's say this is your data center. You can basically have a firewall for capturing traffic and protecting your network. transparently as a layer for deployment in your environment. So that's one big advantage of this. So there are additional scenarios that we need to talk about. Related deployments will be covered in the following lectures.
4. Layer 3 deployment
So we set up in the previous lecture the firewall layer two deployment, and we can slowly introduce layer three by introducing layer three in the VLAN interface. Previous lecture we had the Firewall. It had two segments. one that has VLAN 1, which is the default, and then a sub-interface that's VLAN 100. And we had traffic going across the layer-two segments. Right now, those two VLANs are basically able to get to each other using Layer 2. If we want to get those VLANs to be able to exit to the outside world, we can create a layer-three VLAN interface. We want to create a two-layer three VLAN interface, one for this network and then one for this network, and put the IP address on the interface. So this is going to be a VLAN; let's say Villain one. And then this is VLAN 100.
And then we put our IP address on this interface. And then in previous lecture we had also set up, when we initially set up Unit Lab, we set it up with ether net one one connected to the network, the home network. So we wanted out the traffic from VLAN one and VLAN 100. We wanted to send it out over the Ethernet one one. In this case, the firewall is currently acting as the layer 3 switch because you have one VLAN and it's acting as the default gateway for that VLAN, and then another VLAN for which it's acting as the default gateway for that VLAN. And then you have another layer three physical interface that drops the traffic over the physical interface, and that's the layer three interface. So we have two layer 3 virtual interfaces and then a layer 3 physical interface, and the traffic from the virtual interfaces will drop to the physical interface.
So we're going to connect to the firewall, and I'm going to change Internet Protocol 1 to Layer 3 and have it set to a dynamic IP address. This way I can get out, and I'm going to set this to layer three. and I'll call this a virtual auto default. And then we're going to create a security zone. There are three security zones: trust, entrust, and click okay. And then under IPV-4, I'm going to specify a GCP client. This way I get a GCP address from my home network, and so I have two VLANs, VLAN defaults and VLAN one hundred S-W. I want to create a layer 3 interface for those VLANs. So I'm going to go to interfaces and then VLAN, and we're going to call this VLAN one.
And I'm going to specify here that this is attached to VLAN defaults, which is the untagged VLAN. And then the virtual router is set to "default." And then, in the security zone, we're going to create a security zone. So that's a layer three security zone. Now because we're using a layer three VLAN interface, we're going to call the security zone VLAN one. Okay. And the security zone VLAN had one IP address. I'm going to give you an IP address. So the default VLAN will be 182-6821. So now that layer three interface is attached to the layer two VLAN. So now it can act as a default router for the VLAN. So I want to make things simple. So I'm going to compare DSP, I'm going to add DSP, and I'm going to create an interface VLAN for VLAN 100 I'm going to attach this to VLAN 100SW, and then the virtual router becomes the default security zone. I'm going to create a new security zone here called VLAN 100, and we should check to enable user identification. Anytime you create a zone that's facing users, you need to enable user identification and then dial 192-168-3124.
That's going to be the IP address. And I'm going to also create the CCP scope for the VLAN, and then the IP address is, and then option one, which is the interface VLAN subnet mask, is 24 bits, and then DNS, and then because there's no doubt about my correct network, I'm going to have to add those two interfaces. We cover the network and details in a different section. So I'm going to create a net policy here. Janet Villan, one so that the destination Zillow is on-trusted translated to dynamic IP import and then interface address ethernet, and another for VLAN 100 sources with fewer than 100 destinations that are trust-translated to dynamic IP import. Interface address is ethernet one. So now we're ready. Now it should start backing up my VMs here. As soon as it commits, they should get an IP address from the DSP scope. So I'm going to start this VM.
Oh, it didn't even stop. Okay, so now that I'm logged in, I'm going to go to the terminal and do if config, and I have an IP address here. Let me increase the size, and I should be able to ping the internet. If I cannot ping the internet here, I can bring it, and I'm going to start the other VM as well that's on the CNV land. So I'm going through the layer-three interface to the outside. Right, let's associate the firewall here and show what sessions are going on. Show session all. So we see a whole bunch of sessions going across. You see here, those areuntrust and it's getting discarded. Let's see if this machine has an IP address of 211. I should be able to ping the other machine on the same DLAN 210. It's not pinging. Let me do a show session for all filter sources 210 and let me verify that this interface is a truck interface. Show mac address showmacdynamic Now it's probably started pinging probably.
So I see here now that it started pinging. For some reason, I was doing spanning trees; this is why I disabled spanning trees earlier for spanning free. This way I don't have to wait and start scratching my head. That's that, and I'm able to get to the Internet. So now let me start the other two machines here. This one is up and running already. I'm going to stop it and then start it. I'm going to start this one. So this is on VLAN 100. I should be able to get an IP address on VLAN 100. Getting an IP address is probably still free. I don't have a management profile on VLAN 1 and VLAN 100, so I can ping the management profile and then check ping. And then I'm going to add this to VLAN one and VLAN 100. This way, I can ping from the machine to the defaultgateway to at least test connectivity before committing. Okay, so now I can ping, and I should be able to ping; let me see the other computer; and I should be able to ping the internet as well.
And now I should be able to ping the other VLAN because I've allowed that traffic; I've allowed pretty much everything, so I have traffic between VLANs right now, which is what I mean by the firewall acting as a layer 3 switch. So you can have the firewall act as a transparent layer in the middle by having a layer-two VLAN only.
If you attach a layer 3 interface to that VLAN, then you can have the firewall act as a layer 3 switch. The layer-two interfaces are pretty diverse and give you the ability to have the firewall participate in so many different types of scenarios that will allow you to customise putting the firewall in your network in a way to customise the way you want to look at the traffic. And then remember that in our scenario here, those two devices are now going through the firewall, so you can have rules for the traffic between those two Linux boxes.
Let's say this is a Web server and this is a database server. You can restrict what type of traffic goes between the web server and database server, as well as what traffic comes from outside to any of the VLANs. So we have a lot of flexibility as far as the security policy goes with layer-two deployment. And then this is the layer three deployment relying on layer two interfaces. Layering three interfaces is pretty straightforward. I created a layer three interface here, which is the interface for the outside site. That's layer three. It's an enclosed zone. That's layer three. It's pretty straightforward. It's like an interface on your router. You assign it to an IP address, and that's a Layer 3 interface.
5. Layer 2 deployment and spanning tree
So in the case of layer 2, the spanning tree is allowed through. So I have a switch and a switch spanning tree that is basically passed through by the firewall, and if I go to the switch, switch four displays panning three brief. I see here that the route is seen across the networks, so this is the route ID; this switches the route. Let's take a look at switch three to see the other switches in the route. So this switch bridge ID is C 20 FD 1 B, and the root ID is C 20 FD 1 B, and this switchbridge ID is C 203. If you have a situation where you want to have redundancy, let's say the firewall is in layer-2 mode in between the VLANs, but you just don't want to use a single interface, you want to have a free failover interface that picks up the traffic. In the case where one interface goes down, you can add another interface, and basically it will converge.
The spending fee would converge correctly. So let's prove that out. Essentially, I'm going to connect another interface on switch three to ethernet, and then configure the firewall for ethernet one five to be a layer two interface and grade VLAN 100 sub interface as well, so you have one trunk interface and another trunk interface with an apache tree running across the two. The firewall is not blocking spanning tree; it passed them through, and the two switches see each other across spanning tree, and they fail to use spanning tree. So I'm going to configure this as layer two. I'm going to put it in VLAN default switch security zone is outside, and this Ethernet will allow me to bring up the interface, but I'll also need to configure sub interfaces.
So add a sub-interface 100 tag, which is 100 Because I'm using two-one Q trunking and the VLAN is VLAN 100 switch security zone is inside, I'm going to commit to having continuous ping here on the BM 168, which is the other side. So the spinning tree should be going across, and the proof of this is that I need to first disable spanning reportfast that I enabled a couple of lectures ago because otherwise it's going to cause an issue. When I had one interface, it was okay, but if I have two interfaces, that's a problem. Interface F 14121 three I need to disable spanning three report passing because you now have two links, resulting in a Spanish loop. Unfortunately, this Ethernet switch module does not do PBST; it only ripples a span tree. Well, the proof right now is that I'm going to shut down. So press up one, two, and three. Those are the two trunk interfaces, so technically right now I'm trying to prevent the failure of one interface, so if I shut down one interface, the other interface will pick up interfaces one and two. I'm going to shut that down.
My thing stopped, and it should resume shortly. Once the spanning trees converge, it should be conversion. So there's one problem here: interface one needs to be configured as a trunk port. I don't have it configured as a trunkport, and I don't see Learn Exchange in Learning Status, so it doesn't seem like it's working. Show me dynamics. I don't see any Mac addresses here. Show Macdynamic I see only one Mac address. When you add an interface, you have to shut down and unchart the device because it doesn't work correctly. So I'm going to do the same steps again, and if he's on switch four here, I'm going to shut it down, and then we will see what happens. It didn't take a long time, it just switched over. Right now it's going across the other link to prove it out. Here, let's show the Mac address. Show Macdnamic; you should see the traffic coming in from FA 12. I shut down FA 1, which was the wrong interface to shut down, so I'm going to shut down the other interface, let it do the spanning fee of 50 seconds, which has become that one Q trunk, and then I'm going to shut down the lowest interface. This way, my spanning fee would trigger a shut-down.
So now it should have stopped, and we should see how long it takes to converge. should be 50 seconds. Show Mac address Show Macdnamic. I don't see anything on Three yet. Display the spelling for brief; it is currently learning. It should be forwarding now, and it has begun pinging the interfaces again, as well as layering two interfaces spinning tree trunk effects and providing failover where you can failover between different trunk interfaces based on the spanning fee, which is the typical comparison. You'd find a lot of environments Layer two passes spanning tree, which is bpdu frames for spanning tree, and it is completely transparent. It does not modify the Bpdus; it basically passes them through, and that will allow switches to failover between different interfaces on different Vlad.
Palo Alto Networks PCNSE Exam Dumps, Palo Alto Networks PCNSE Practice Test Questions and Answers
Do you have questions about our PCNSE Palo Alto Networks Certified Network Security Engineer practice test questions and answers or any of our products? If you are not clear about our Palo Alto Networks PCNSE exam practice test questions, you can read the FAQ below.
Purchase Palo Alto Networks PCNSE Exam Training Products Individually