https://live.paloaltonetworks.com/t5/general-topics/vwire-connection-between-edge-and-distribution-switch/m-p/301932#M78741 <P>Since your devices are using link aggregation, have you considered adding your vwire interfaces as an aggregate interfaces as well?<BR /><A href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces/aggregated-interfaces-for-a-virtual-wire" target="_blank">https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces/aggregated-interfaces-for-a-virtual-wire</A><BR /><BR />If for whatever reason you can't do this, do you need to have four separate security zones?&nbsp; Could you put both "outside" interfaces in one security zone, and both "inside" interfaces in another, and use a single security policy?</P> Tue, 03 Dec 2019 17:59:05 GMT OwenFuller 2019-12-03T17:59:05Z https://live.paloaltonetworks.com/t5/general-topics/vwire-connection-between-edge-and-distribution-switch/m-p/301922#M78737 <P>&nbsp;</P><P>We have stack of 2 edge switch and stack of 2 distribution switches.</P><P>We have linkagg containing 2 ports running between them.</P><P>IT is layer 2 connection only between edge and distro.</P><P>Also we have MAnagement vlan on switch so that users can access it remotely</P><P>&nbsp;</P><P>Need to put PA in vwire mode.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vwire.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/22775i1EABFA53F11F91F7/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="vwire.png" alt="vwire.png" /></span></P><P>So for vwire</P><P>&nbsp;</P><P>I will have two pair of vwires and i will need to have&nbsp;</P><P>&nbsp;</P><P>4 zones and two security polices to traffic flows from edge switch to distro.</P><P>&nbsp;</P><P>if i need to ssh to edge switch then traffic flow is via the distribution switch in that case i need to allow ssh rule from both vwires as i do not know PA will use which physical link right?</P><P>&nbsp;</P> Tue, 03 Dec 2019 17:20:20 GMT https://live.paloaltonetworks.com/t5/general-topics/vwire-connection-between-edge-and-distribution-switch/m-p/301922#M78737 MP18 2019-12-03T17:20:20Z https://live.paloaltonetworks.com/t5/general-topics/vwire-connection-between-edge-and-distribution-switch/m-p/301932#M78741 <P>Since your devices are using link aggregation, have you considered adding your vwire interfaces as an aggregate interfaces as well?<BR /><A href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces/aggregated-interfaces-for-a-virtual-wire" target="_blank">https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces/aggregated-interfaces-for-a-virtual-wire</A><BR /><BR />If for whatever reason you can't do this, do you need to have four separate security zones?&nbsp; Could you put both "outside" interfaces in one security zone, and both "inside" interfaces in another, and use a single security policy?</P> Tue, 03 Dec 2019 17:59:05 GMT https://live.paloaltonetworks.com/t5/general-topics/vwire-connection-between-edge-and-distribution-switch/m-p/301932#M78741 OwenFuller 2019-12-03T17:59:05Z https://live.paloaltonetworks.com/t5/general-topics/vwire-connection-between-edge-and-distribution-switch/m-p/301983#M78744 <P>As far as i know vwire work in pairs.</P><P>So far have not like that putting different vwire in same zone.</P><P>&nbsp;</P><P>Do not know how that will work will see if someone recommend that ?</P><P>Benefit if having separte&nbsp; zones is that then you can see which port in linkagg uses amount of traffic.</P><P>As switch is doing hashing to use both ports of the linkagg to send traffic.</P> Tue, 03 Dec 2019 21:10:38 GMT https://live.paloaltonetworks.com/t5/general-topics/vwire-connection-between-edge-and-distribution-switch/m-p/301983#M78744 MP18 2019-12-03T21:10:38Z https://live.paloaltonetworks.com/t5/general-topics/vwire-connection-between-edge-and-distribution-switch/m-p/301993#M78747 <P>Yes, your vwires would still have pairs of interfaces, but that doesn't mean you are required to use four zones.&nbsp; To clarify my previous comment, you can have two separate vwires with the inside/outside Ethernet interfaces in the same zone:<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2019-12-03 15_48_10-PanoramaPWk01.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/22811iEF452BDBD40C9479/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2019-12-03 15_48_10-PanoramaPWk01.png" alt="2019-12-03 15_48_10-PanoramaPWk01.png" /></span><BR /><BR />You could also have one vwire with aggregate Ethernet interfaces:<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2019-12-03 16_09_34-PanoramaPWk01.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/22812iFFDF77C2FCBB5064/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2019-12-03 16_09_34-PanoramaPWk01.png" alt="2019-12-03 16_09_34-PanoramaPWk01.png" /></span></P><P>&nbsp;</P><P>Each option offers some advantages and disadvantages of course, and may or may not work for your situation.</P> Tue, 03 Dec 2019 22:18:48 GMT https://live.paloaltonetworks.com/t5/general-topics/vwire-connection-between-edge-and-distribution-switch/m-p/301993#M78747 OwenFuller 2019-12-03T22:18:48Z https://live.paloaltonetworks.com/t5/general-topics/vwire-connection-between-edge-and-distribution-switch/m-p/303343#M78967 <P>Many thanks for answering my question!</P> Thu, 12 Dec 2019 05:40:51 GMT https://live.paloaltonetworks.com/t5/general-topics/vwire-connection-between-edge-and-distribution-switch/m-p/303343#M78967 MP18 2019-12-12T05:40:51Z