We have an old fashioned flat network layout. We are looking at a significant network redesign and part of that is doing a proper security architecture and separating our servers from our userbase and separating server tiers (e.g. web, application, database) from each other. We also are a government that has several different verticals (e.g. health, public safety, public works, education) and we plan to design the network with these verticals being quasi-separate from each other.
In order to accomplish this, we are looking at acquiring a couple PA-5060 devices to put into an active/passive HA pair and then creating multiple VSYS inside the 5060, one for each service vertical (plus a general one).
Our network architect had a question regarding the capability of the PA-5060 with regards to port aggregation, VSYS, and physical port sharing between VSYS. Ideally, he would like to aggregate two of the 10 Gb SFP+ ports and have each VSYS be able to use these physical ports. It's okay if the the method involves the creation of subinterfaces under the aggregate with individual, unique VLAN tags. For example a logical interface representing two aggregated physical interfaces with 15 subinterfaces, where 5 subinterfaces are assigned to VSYS #1, another 5 subinterfaces assigned to VSYS #2, and the last 5 assigned to VSYS #3 (for example).
Is this something that is possible? It seems like it must be, as the PA-5060 supports up to 225 VSYS. That would be impossible without some method of sharing physical ports between the VSYS as the 5060 only has 24 physical ports.
Solved! Go to Solution.
You can do what you are planning. The sub interfaces will get assigned to your vsys or virtual routers and you can share the physical port in the way you propose.
Can you please explain how is it possible? I would like to do the same thing. The physical interface can be associated with one vsys only. Also i cannot remove the vsys association from the interface.
The parent aggregate ethernet "AE" group needs to be in one vsys. You could either:
1.) don't assign it to a virtual router and/or security zone, and don't give it an ip address... (like picture attached), or
2.) assign it to a "dummy" vsys
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!