https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254824#M72324 <P>Seems best way to do is&nbsp;</P><P>&nbsp;</P><P>create vwire for both uplink connections.</P><P>&nbsp;</P><P>here we will have 2 pair of vwires- Vwire INT and Vwire EXT</P><P>Two Zones trust and untrust</P><P>PA will pass all the LAG traffic&nbsp; to dis switch from both zone trust zones.</P><P>&nbsp;</P><P>As PA is passing traffic from both source interfaces of trust Zone and allowing return traffic from 2 dis switches we need to enable the option where PA allows asymm traffic</P><P>&nbsp;</P><PRE>set deviceconfig setting tcp asymmetric-path bypass<BR /># set deviceconfig setting session tcp-reject-non-syn no</PRE><P>&nbsp;</P> Sun, 24 Mar 2019 17:26:43 GMT MP18 2019-03-24T17:26:43Z https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254609#M72256 <P>&nbsp;</P><P>We have this setup for one site&nbsp;</P><P>&nbsp;</P><P>------Dis sw--------------Edge switch stack of 3 ----------40 users&nbsp;</P><P>&nbsp;</P><P>we need to move few users behind the PA&nbsp; .</P><P>&nbsp;</P><P>what can be best design for this as we only need to have 5 to 10 users behind the PA&nbsp; 850.?</P><P>&nbsp;</P><P>Should we connect small switch to the existing stack of switch ?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 22 Mar 2019 01:05:49 GMT https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254609#M72256 MP18 2019-03-22T01:05:49Z https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254620#M72260 <P>Hello,</P><P>How about a vlan and/or a subnet that routes via the PAN?</P><P>&nbsp;</P><P>I'm sure there are many different options. I would also love to hear what the community has to say.</P><P>&nbsp;</P><P>Regards,</P> Fri, 22 Mar 2019 02:30:42 GMT https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254620#M72260 OtakarKlier 2019-03-22T02:30:42Z https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254722#M72287 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75039">@MP18</a>&nbsp;,</P><P>A dedicated VLAN that routes through the PA would be what I would do, as it doesn't require any additional hardware and should be easy to maintain and update. It also doesn't require that you have someone on-site to migrate connections over to the new switch, you simply update the port configuration and assign it to the new VLAN.&nbsp;</P> Fri, 22 Mar 2019 18:52:33 GMT https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254722#M72287 BPry 2019-03-22T18:52:33Z https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254731#M72289 <P>can we put this PA in vwire mode between the switches?</P><P>&nbsp;</P><P>curently edge switch has 2 upliks that go to dis switch.</P><P>&nbsp;</P><P>for the vwire to work it work in pairs</P><P>can i work with single connection for send and receive traffic?</P> Fri, 22 Mar 2019 19:23:16 GMT https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254731#M72289 MP18 2019-03-22T19:23:16Z https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254745#M72297 <P>Hello,</P><P>Can you provide a basic diagram? Somthing like:</P><P>&nbsp;</P><P>switch--&gt;router--&gt;PAN</P><P>&nbsp;</P><P>Please advise,</P> Fri, 22 Mar 2019 20:33:25 GMT https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254745#M72297 OtakarKlier 2019-03-22T20:33:25Z https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254748#M72299 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75039">@MP18</a>,</P><P>If you only have a single connection to use on the PA you would be looking at doing a network TAP, which has limited capabilities, so I would really recommend the vwire setup if you want to do that.&nbsp;</P> Fri, 22 Mar 2019 20:44:15 GMT https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254748#M72299 BPry 2019-03-22T20:44:15Z https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254750#M72300 <P>But for Vwire I will need to set of cables right&nbsp; but in current setup it is not possible right?</P><P>&nbsp;</P><P>&nbsp;</P><P>here is diagram attached</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 22 Mar 2019 21:04:49 GMT https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254750#M72300 MP18 2019-03-22T21:04:49Z https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254751#M72301 <P>how can i add visio or pdf diagram ?</P><P>&nbsp;</P><P>system does not allow me</P> Fri, 22 Mar 2019 21:06:58 GMT https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254751#M72301 MP18 2019-03-22T21:06:58Z https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254753#M72302 <P>scrren shot of diagram</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture.PNG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/19195i3ACA887B9D19CB64/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture.PNG" alt="Capture.PNG" /></span></P> Fri, 22 Mar 2019 21:10:28 GMT https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254753#M72302 MP18 2019-03-22T21:10:28Z https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254758#M72306 <P>Hello,</P><P>Where is the PAN located in the diagram or is that your question?</P><P>&nbsp;</P><P>Please advies,</P> Fri, 22 Mar 2019 22:01:31 GMT https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254758#M72306 OtakarKlier 2019-03-22T22:01:31Z https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254776#M72309 <P>PAN will come between the edge switches and Dis switch.</P><P>&nbsp;</P> Sat, 23 Mar 2019 14:59:25 GMT https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254776#M72309 MP18 2019-03-23T14:59:25Z https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254778#M72311 <P>I have attached the diagram.</P><P>&nbsp;</P><P>PA will be in between edge and dis switch.</P><P>&nbsp;</P><P>Currenly edge switch o<STRONG><FONT color="#FF0000">nly has 1 layer 3 interfac</FONT></STRONG>e which is for sw management access.</P><P>&nbsp;</P><P>config on switch&nbsp;</P><P>&nbsp;</P><P>ip static-route 0.0.0.0/0 gateway 10.10.230.50-------------------------management network</P><P>10.10.230.x has vlan interface 3100</P><P>&nbsp;</P><P>Edge switch has trunk interface&nbsp; with link agg to dis switch&nbsp; carrying below vlans</P><P>&nbsp;</P><P>show 802.1q 1</P><P>Tagged VLANS Internal Description<BR />-------------+------------------------------------------+<BR />851 Raw 192.168.200.0<BR />3100 mgmt-subnet 10.10.230.0<BR />3203 corp-data-subnet 10.63.24.0<BR />3303 voice-subnet 10.63.26.0<BR />3403 corp-video-subnet 10.63.25.0</P><P>&nbsp;</P><P>&nbsp;</P><P>what config i will need on PA to allow traffic from edge switch to dis switch carrying trunk port with lacp?</P><P>&nbsp;</P> Sat, 23 Mar 2019 16:12:26 GMT https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254778#M72311 MP18 2019-03-23T16:12:26Z https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254811#M72317 <P>I have same problems. Who can help me?</P> Sun, 24 Mar 2019 08:08:54 GMT https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254811#M72317 BorisJones 2019-03-24T08:08:54Z https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254824#M72324 <P>Seems best way to do is&nbsp;</P><P>&nbsp;</P><P>create vwire for both uplink connections.</P><P>&nbsp;</P><P>here we will have 2 pair of vwires- Vwire INT and Vwire EXT</P><P>Two Zones trust and untrust</P><P>PA will pass all the LAG traffic&nbsp; to dis switch from both zone trust zones.</P><P>&nbsp;</P><P>As PA is passing traffic from both source interfaces of trust Zone and allowing return traffic from 2 dis switches we need to enable the option where PA allows asymm traffic</P><P>&nbsp;</P><PRE>set deviceconfig setting tcp asymmetric-path bypass<BR /># set deviceconfig setting session tcp-reject-non-syn no</PRE><P>&nbsp;</P> Sun, 24 Mar 2019 17:26:43 GMT https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/254824#M72324 MP18 2019-03-24T17:26:43Z https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/256453#M72755 <P>did the vwire setup and it worked great.</P> Sat, 06 Apr 2019 21:45:22 GMT https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/256453#M72755 MP18 2019-04-06T21:45:22Z https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/548721#M112018 <PRE>set deviceconfig setting tcp asymmetric-path bypass</PRE> <P>This helped me with a similar setup today. Thanks for sharing this!</P> Mon, 10 Jul 2023 06:53:06 GMT https://live.paloaltonetworks.com/t5/general-topics/moving-some-connections-to-the-new-pa/m-p/548721#M112018 PravinSingi 2023-07-10T06:53:06Z