topic Re: Subinterfaces with same VLAN tag in General Topics

Subinterfaces with same VLAN tag

rjdahav163 — Wed, 10 Jan 2018 12:17:01 GMT

Hello

We are designing a setup with PA 3060. On that we plan to have 2 vsys, lets call them V1 and V2.

I have an aggregated interface, lets call it ae22.

I want to create 2 subinterfaces:

ae22.1 ----- will be assigned to V1

ae22.2 ----- will be assigned to V2

Question: Can ae22.1 and ae22.2 have the same vlan number lets say vlan 100 ?

Thanks and Regards,

Re: Subinterfaces with same VLAN tag

BPry — Wed, 10 Jan 2018 13:58:22 GMT

@rjdahav163,

Since they will be assinged to a different vsys this shouldn't pose any issues at all.

Re: Subinterfaces with same VLAN tag

tommyschoemans — Wed, 19 Sep 2018 11:16:12 GMT

Hello,

This is not possible, you can not use the same vlan tag on the same aggregated interface for layer3 sub-interfaces. I also tried using a L2 aggregated interface with 2 vlan interfaces but no success >> " No two logical aggregate interfaces can have same tag value."

I guess you already figured this out the hard way.

So as far as I know now it is not possible to have 2 or more vsys to have a IP in the same network/vlan when this is going via one and the same aggregated interface.

kr,

Tommy

Re: Subinterfaces with same VLAN tag

psycoma1984 — Tue, 05 Oct 2021 12:27:20 GMT

hello, have you figured a way to handle your design requirement? I am facing similar problem to have multiple interfaces with same dot1q tag between vSYS.

Re: Subinterfaces with same VLAN tag

laurence64 — Tue, 05 Oct 2021 13:26:09 GMT

HI @rjdahav163

Can I ask why you need the same vlan tag to span the Vsys ? under any condition I would think this would be strange configuration but I have seen stranger requirements, As far as I am aware the configuration as you want it will not work as the firewall will need to use the tag to direct the traffic at the right VSYS.

If we had a better understanding of what you need to achieve it may be easier to assist with a solution.

Re: Subinterfaces with same VLAN tag

psycoma1984 — Tue, 05 Oct 2021 13:35:23 GMT

Hello Laurence,

In my case it is just a simple migration of 3 Cisco ASA virtual contexts to Palo Alto in 1:1 fashion. Since Cisco ASA has no problem with having subinterfaces with same dot1q tag on different contexts it was supposed we proceed with a migration in similar fashion to Palo Alto vSys. Right now it looks like it has such kind of limitation though, which is not a problem on Cisco.

Please see attached picture of our current design. We want to have only single port-channel between PA box and switches. All logical subinterfaces should be hanging off of it.

So the question is - how can we work around this problem and if adding another physical interface for each context is the only solution?

Re: Subinterfaces with same VLAN tag

laurence64 — Tue, 05 Oct 2021 14:00:36 GMT

So, let me see if I understand this, you have the three contexts at the bottom of the diagram and you are wanting to share the gateway that is on vlan 99 across the three VSYS ?

If this is the case then I would look at the shared gateway implementation as this would fit your use case perfectly

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/virtual-systems/shared-gateway.html

Hope this helps, if not let me know if I can be of anymore assistance.

Re: Subinterfaces with same VLAN tag

psycoma1984 — Tue, 05 Oct 2021 14:21:35 GMT

Hi,

AFAIK it won't fit my requirements.

We need to have L3 interface on each of 3 new vSYS on PA box, which is sharing same IP subnet and (ideally) VLAN ID. This is required as we have multiple networks routed through each firewall context and those L3 interfaces are acting like next-hop-address.

So in my picture above 10.10.10.254 is the common gateway for all 3 contexts, but it is not located on FW, it is just a router which has interface within same VLAN/Subnet.

Re: Subinterfaces with same VLAN tag

laurence64 — Tue, 05 Oct 2021 14:22:27 GMT

I see, I would like to go away and Lab this up, I am sure there will be a way to make this an easy migration, just for confirmation sake the Vlan that needs to shared across the VSYS in this example is 99 yes ? and then the three contexts are the nexthop gateway for your subnets ?

Re: Subinterfaces with same VLAN tag

psycoma1984 — Tue, 05 Oct 2021 14:30:47 GMT

Hi,

That's exactly correct. So in our design simplified from a router point of view on top of the pic we have for example:

1. Network A, next-hop is 10.10.10.1/24;

2. Network B, next-hop is 10.10.10.2/24;

3. Network C, next-hop is 10.10.10.3/24

So in fact 10.10.10.0/24 is a transit network between router and firewall contexts.

I see so following workaround: perform migration Cisco-->PA as they currently are, but add PHYSICAL interface to each of vSYS and tag it to VLAN99 from switch side (assuming it will be configured L3 untagged on FW side) or have a subinterface off from it. This way I would be able to overcome a restriction PA has - 'to not have subinterface with the same dot1q VLAN tag on same physical interface'.

Would be grateful if you can share other option which does not require to occupy physical interface for subinterface workload just because it is not allowed by PA.

Thanks!

Re: Subinterfaces with same VLAN tag

psycoma1984 — Fri, 08 Oct 2021 20:12:44 GMT

Hello Laurence,

Few other questions if I may:

I have 3 additional questions I want to ask you:

1. Is it the same with a port-channels (aggregated interfaces)? Can we create subinterfaces from aeX interface with the same VLAN tag?
2. Will it work if we create subinterfaces from physical interface or aggregate interface with same VLAN tag, but move each in separate vSYS?
3. In 'shared gateway' scenario, do we need to use PHYSICAL INTERFACE as a 'external interface' on shared gateway or can it be subinterface or port-channel as well?

Thanks and appreciate if you can answer those!

Re: Subinterfaces with same VLAN tag

KengSeng — Mon, 17 Oct 2022 06:45:26 GMT

Same VLAN cannot exist in multiple subinterface under 1 physical interface. Same subinterface under 1 physical interface cannot assign to multiple vsys(es). Therefore, the only workaround is to create the same VLAN ID under multiple physical interfaces in order to assign to multiple vsys(es) to the same VLAN. To save the 10G interface capacity, you might wanna trunk that interface.