topic Re: configuration help-vwire subinterfaces with different policies per vlans in General Topics

configuration help-vwire subinterfaces with different policies per vlans

pkonitz — Mon, 15 Apr 2013 12:28:45 GMT

Hi all,

Its my first post here so I hope someone can answer my question regarding vwire subinterfaces.

As I was looking through the older topics the thing I want to achieve is similar to this.

https://live.paloaltonetworks.com/message/9679#9679

however I want to use vwire subinterfaces instead of L2.

According to course material it can be done.

Basicly I want to create differnet policies between different zones with vwire subinterface.

switch (trunk - allowed vlans 123,812) -------------- PAN (vwire LAN) ------------- (trunk) cisco ASA

I have 4 zones

Trust-LAN

Trust-NAVIS

Untrust-LAN

Untrust-NAVIS

with this configuration traffic can't pass the PAN (with "none" set as security zone on physical interface)

traffic flows only if the main interfaces has a security zone assigned to it, but then all traffic is considered to be from this zone.

Can I differentiate vwire subinterfaces or not ( I mean zones on subinterfaces)?

thx for help

Re: configuration help-vwire subinterfaces with different policies per vlans

sjodlowski — Wed, 17 Apr 2013 07:55:09 GMT

Hello,

Not sure (have not tested yet) but it looks like you did not do a VLAN/vwire config for your subinterfaces?

Regards,

Seweryn

Re: configuration help-vwire subinterfaces with different policies per vlans

pkonitz — Wed, 17 Apr 2013 08:12:23 GMT

Hi Seweryn,

What do u mean by not configuring a Vlan/vwire on subinterfaces?

As it is written in coursebook subinterfaces inherits vlan/vwire config from main interface. I can set it on the main interface but after that there is no choice for subinterface to have the same vwire assigment (casue this vwire was already used)

from the book:

Note that you do not specify the virtual wire object during the creation of the subinteface. Since the subinterface is built on an existing virtual wire interface, the virtual wire object is inherited from parent interface. However, the subinterface and parent interface can be configured on different zones

I have vwire crated (its called LAN)

have ethernet 1/1 assigned to LAN.

then have no option for subinterface.

But i think this in not the problem. The main issue is that even though I've got different security zones assigned to subinterfaces the traffic flows only when main interfaces is assigned to it as well. As a consequence subinterfaces inherits it from main interface (the proof is in logs) so I cant diferentiate traffic based on ZONES.

regards

Message was edited by: Przemyslaw Konitz

Re: configuration help-vwire subinterfaces with different policies per vlans

sjodlowski — Wed, 17 Apr 2013 08:30:09 GMT

Przemek,

Please click on New Virtual Wire and create one for this subinterface. I did it for my PA-200 but can't test if it works as expected.

Seweryn

Re: configuration help-vwire subinterfaces with different policies per vlans

pkonitz — Wed, 17 Apr 2013 09:19:09 GMT

great - it worked

after modifications

so this is not true what the book says

...

The subinterfaces allow you to separate and classify traffic into different zones by either VLAN tags or VLAN tags in conjunction with IP classifiers (address, range, or subnet.)

...

the main interface must be on separate vwire object and each one of the subinterfaces as well.
No vlan tagging on Vwire !!! only on subinterfaces
only then subinterfaces are seen as being on separeted zones

thx Seweryn

hope to be in touch

regards

Przemek