topic Virtual wire with Vlan trunking and vlan mapping in General Topics

Virtual wire with Vlan trunking and vlan mapping

CobaltGroup — Mon, 08 Jul 2019 15:13:36 GMT

Hi all,

I currently have a palo alto that is connected to my switches.

The palo alto is configured as a virtual wire, and the WAN side of the palo alto is connected to VLAN 10, the LAN side is connected to VLAN11

This allows me to quickly move customers in that VLAN in front of or behind the firewall by just changing their access port on the switch.

Now I have another customer range that is using VLAN 20, and I want to create a firewalled VLAN 21 for them.

If I put my virtual wire in trunking mode, is there any way to tell the Palo Alto that VLAN 10 needs to be "patched" to VLAN 11 only, and VLAN 20 needs to be "patched" to VLAN 21 only?

Otherwise my solution obviously is not going to work.

Any recommendations?

Thanks

Re: Virtual wire with Vlan trunking and vlan mapping

OtakarKlier — Mon, 08 Jul 2019 20:01:51 GMT

Hello,

Not sure what you mean by 'patched'. However if you are using multiple vlans, you could use sub-interfaces. I'm sure there is a reason you are using vwire instead of layer2 or 3?

Regards,

Re: Virtual wire with Vlan trunking and vlan mapping

CobaltGroup — Tue, 09 Jul 2019 11:51:42 GMT

To explain your question about patched, I have vlan 10 which is unprotected (in front of the palo) and vlan 11 which is protected (behind the palo)

So topology wise Switch

VLAN 10 <=> Palo Virtual Wire <=> Switch VLAN 11
Hosts in vlan 10 and vlan 11 use exactly the same IP addressen, and by simply changing the switch port on switch level, I can choose if the host needs to be firewalled yes or no,

The above example allow you to only connect vlan 10 to vlan 11.

Now what if I want to connect VLAN 10 to VLAN 11 and VLAN 20 to VLAN 21 over the same virtual wire

Switch Trunk 10,20 <=> Palo Virtual Wire <=> Switch Trunk 11, 21

Is there any want to tell the virtual wire that VLAN 10 and 11 are connected to eachother, and VLAN 20 and 21.

I hope this clarifies my setup.

Re: Virtual wire with Vlan trunking and vlan mapping

OtakarKlier — Tue, 09 Jul 2019 13:22:03 GMT

Hello,

Then subinterfaces are the way to go.

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces/virtual-wire-subinterfaces.html

Hope that helps.

Re: Virtual wire with Vlan trunking and vlan mapping

CobaltGroup — Mon, 15 Jul 2019 14:22:35 GMT

Thank you for your answer. So today I was looking at how to design and I have a question about the approach

I have interface ethernet1/3 configured as virtual wire with subinterface .500 and .600

I have interface ethernet1/4 configured as virtual wire with subinterface .501 and .601

Vlan 500 and 600 equal the internet/WAN side, vlan 501 and 601 equal the protected/firewall internal/LAN side

All traffic that arrives in VLAN 500 needs to be forwarded to VLAN 501

All traffic that arrives in VLAN 600 needs to be forwarded to VLAN 601

Should I create 2 seperate virtual wires between

1) interface ethernet1/3.500 and ethernet1/3.501

2) interface ethernet1/4.600 and ethernet1/3.601

Or should I create 1 virtual wire between interface ethernet1/3 and interace ethernet1/4, where I will allow vlan 500 and 600 to be trunked.

But in this second case, how am I going to define the flow that traffic from VLAN 500 needs to go to VLAN501?

Hope my question is clear.

Re: Virtual wire with Vlan trunking and vlan mapping

jasloan — Fri, 27 Mar 2020 12:26:41 GMT

I'm sure you found your answer but to close this out, you can't bridge vlans in a vWire implementation, what you are looking for is a Layer 2 implementation and you can bridge the vlans together. vWire send traffic out with the same tags which it receives.