topic Routing between Virutal Systems with a VWIRE in General Topics

Routing between Virutal Systems with a VWIRE

oneidanation — Fri, 27 Jan 2012 14:58:06 GMT

We currently have our Main PA configured in a VWIRE deployment with a TRUST and UNTRUST Zone. We have many different VLANs on our network and the default route for all internet bound traffic passes through the VWIRE.

We want to configure multiple VSYS on the PA for our different divisions. Example VSYS1 - Enterprise, VSYS2 - Retail, VSYS3 - Public, etc. with a Shared Gateway.

Is it possible to configure the PA so that the VWIRE stays in place and as traffic passes through direct that traffic to the other VSYS based on VLAN id in order to apply security policies and then that VSYS would send the traffic to the Shared Gateway out to the internet?

In other words if Packet A has VLAN 10 stay with VSYS1 and apply security policy if Packet B has VLAN 20 send to VSYS2 and apply VSYS2 security policy then send Packet A and Packet B to the shared gateway.

Re: Routing between Virutal Systems with a VWIRE

oneidanation — Fri, 27 Jan 2012 16:24:02 GMT

Would we need to go away from VWIRE and go to a LAYER 3 type deployment using sub-interfaces and VLAN tagging?

Also note that each VLAN is on its own unique IP-Subnet.

Re: Routing between Virutal Systems with a VWIRE

mikand — Fri, 27 Jan 2012 21:57:55 GMT

You could setup it this way if you still want to keep the VWIRE (just an example):

VSYS1: int0, int1
VSYS2: int2, int3

and then in the switch before and after your PAN split up which VLAN will be sent through which VSYS like so:

internal-switch (VLAN10) gi0/1 -> PAN int0
internal-switch (VLAN20) gi0/2 -> PAN int2

external-switch (VLAN10) gi0/1 -> PAN int1
external-switch (VLAN20) gi0/2 -> PAN int3

But I would recommend you switch to a layer3 type deployment. Using VWIRE (in my opinion) is more of a IDP/IPS scenario rather than having the PAN taking more decisions regarding what the nexthop should be and stuff like that.

You can still use VSYS with layer3 deployment, actually it will in some way better utilize the interfaces available (comparing to just use a single interface for all traffic connected to the uplink) and it will also minimize rules needed in each VSYS if you for example split up so one VSYS will be for webbrowsing while the other VSYS will be used for handling your regular production based traffic like email, DMZ etc.