topic Re: vwire using a single physical interface possible? in General Topics

vwire using a single physical interface possible?

networkadmin — Sat, 30 Jul 2016 14:23:07 GMT

Right now we use a standard vwire with 2 physical interfaces.

We're about to make some hardware changes that means that the vwire input and output will be from/to the same physical switch.

If I have to use 2 interfaces then on that switch I'll just be using two untagged ports from/to the appropriate VLANs on the switch.

But do I have to use 2 physical interfaces? Is it possible to use a single physical interface with subinterfaces (I think that's the magic word?) so the input and output are simply tagged across the one physical link?

Apologies if my terminology is way off here, but hopefully I've explained it well enough, if any clarification is needed please just ask 🙂

Re: vwire using a single physical interface possible?

jvalentine — Sat, 30 Jul 2016 15:39:33 GMT

A v-wire requires exactly two physical interfaces.

What you're asking for can be accomplished using a single L2 interface on the firewall and enabling vlan tag rewrite. In essence you are bridging two vlans together.

Re: vwire using a single physical interface possible?

networkadmin — Sat, 30 Jul 2016 19:22:58 GMT

@jvalentine wrote:
A v-wire requires exactly two physical interfaces.

What you're asking for can be accomplished using a single L2 interface on the firewall and enabling vlan tag rewrite. In essence you are bridging two vlans together.

Thanks, bit confused now as you said it requires two physical interfaces then suggested it can be done with one? 🙂

If it needs 2 in order to be supported so be it, just frustrating when it's using NICs and all going into the same switch...

Re: vwire using a single physical interface possible?

jvalentine — Sat, 30 Jul 2016 20:43:47 GMT

You can't use a "virtual-wire" in this scenario, as a v-wire requires exactly 2 interfaces... no more, no less.

You can use an "L2" interface to perform what you're requesting.

They're two different interface modes with different capabilities and limitations.

Re: vwire using a single physical interface possible?

networkadmin — Sun, 31 Jul 2016 08:04:46 GMT

OK thanks, is there any easy and supported way to combine everything across a single physical link between the switch and the PAN?

Essentially I would have:

L3 interface/subinterface between PAN and switch

L2 interface to inspect

I'm guessing L2 and L3 cannot be mixed on the same physical interfacel which makes sense and hopefully the topology will be changing fairly soon to accomodate this so we don't need to be doing it at all.

Re: vwire using a single physical interface possible?

santonic — Mon, 01 Aug 2016 09:31:51 GMT

VirtualWire is L1 and always requires pair of ports.

Correct, you can't mix L2 and L3 on same interface.

And yes, you can make L2 subinterfaces and assign to different VLANs.

I'm not sure I understant correctly your scenario tho. If you already have L3 (trunk) interface to PA why don't you just move those 2 networks you wish to inspect and secure to PA instead of them being on L3 switch?

Re: vwire using a single physical interface possible?

santonic — Mon, 01 Aug 2016 10:59:31 GMT

Document for PAN-OS 4.0 but it should still work:

https://live.paloaltonetworks.com/t5/Documentation-Articles/Securing-Inter-VLAN-Traffic/ta-p/54749

https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/documentation_tkb/188/1/Layer2_Networking-PAN-OS-revB.pdf