topic Re: Multiple Virtual Routers sharing the same INSIDE zone? Possible? in General Topics

Multiple Virtual Routers sharing the same INSIDE zone? Possible?

dagibbs — Mon, 28 Feb 2011 04:09:56 GMT

Hi.

I have my PA's running fine and dandy with my normal internet link(s) and DMZ farmed out to my edge routers without issue.

Now I have coming a requirement for a dedicated, seperate Internet link and DMZ for a special purpose with the traffic being completely isolated from my "main' links.

I want to assign two new interfaces - one for the extra DMZ required, and one for the additional Internet link - and use a different VR to link these two interfaces, with the default route for this pair or ports point to the 'new" internet link rather than my normal "default" route - however, I also want machines from my normal "inside" interface to be able to access devices in this DMZ.

Can I put the "normal" inside interface into the new VR and allow communciation between the inside and the new DMZ/Link without affecting the standard default route out my 'main" links?

Configuration something like this

VR Name : Router 1

Interfaces : Ethernet1/1 (inside)

Ethernet1/2 (outside - default route)

Ethernet1/3 (Main DMZ)

VR Name : Router-2

Interfaces : Ethernet1/1 (inside)

Ethernet1/4 (New-Internet, special-purpose route)

Ethernet1/5 (Special DMZ)

I don't want traffic from E1/2 mixing with E1/4 9I.E. all "Internet" bound traffic from E1/1 and E1/3 should default out this route), but I do to be able to get to nodes in both both E1/3 & E1/5 from the inside (E1/1) inetrface, and I want ALL internet traffic froM E1/5 to go out E1/4 instead of E1/2.

Hope this is clear enough explaination - I think I just confused myself!

Re: Multiple Virtual Routers sharing the same INSIDE zone? Possible?

James — Mon, 28 Feb 2011 17:11:02 GMT

Hi There,

This is possible:

An interface cannot be in two virtual routers - however, you can have sub-interfaces in different virtual routers.

So you can put a physical/logical interface from the new virtual router into the LAN and have routes to that IP for the new DMZ. This interface would be on the same subnet, but different IP, to the other interface already in this LAN.

Alternatively, you can move to PAN-OS 4.0.x and make use of one of two features:

virtual router to virtual router routing
PBF to virtual system and have the "New Network" in a new virtual system.

Thanks

James

Re: Multiple Virtual Routers sharing the same INSIDE zone? Possible?

dagibbs — Mon, 28 Feb 2011 21:04:17 GMT

jsherlow wrote:

Hi There,

This is possible:

An interface cannot be in two virtual routers - however, you can have sub-interfaces in different virtual routers.

Alternatively, you can move to PAN-OS 4.0.x and make use of one of two features:

virtual router to virtual router routing
PBF to virtual system and have the "New Network" in a new virtual system.

Thanks

James

James.

Thanks for that - I can manage to put another IP on the "inside" interface without too much hassle - since I don't think I'm quite ready to upgrade to PanOS 4 yet, I'll most likely run with that.

Cheers.

Re: Multiple Virtual Routers sharing the same INSIDE zone? Possible?

James — Mon, 28 Feb 2011 22:57:33 GMT

Good Luck