Routing between Virutal Systems with a VWIRE

Reply
Highlighted
Not applicable

Routing between Virutal Systems with a VWIRE

We currently have our Main PA configured in a VWIRE deployment with a TRUST and UNTRUST Zone.  We have many different VLANs on our network and the default route for all internet bound traffic passes through the VWIRE.

We want to configure multiple VSYS on the PA for our different divisions. Example VSYS1 - Enterprise, VSYS2 - Retail, VSYS3 - Public, etc. with a Shared Gateway.

Is it possible to configure the PA so that the VWIRE stays in place and as traffic passes through direct that traffic to the other VSYS based on VLAN id in order to apply security policies and then that VSYS would send the traffic to the Shared Gateway out to the internet?

In other words if Packet A has VLAN 10 stay with VSYS1 and apply security policy if Packet B has VLAN 20 send to VSYS2 and apply VSYS2 security policy then send Packet A and Packet B to the shared gateway.

Not applicable

Re: Routing between Virutal Systems with a VWIRE

Would we need to go away from VWIRE and go to a LAYER 3 type deployment using sub-interfaces and VLAN tagging?

Also note that each VLAN is on its own unique IP-Subnet.

L6 Presenter

Re: Routing between Virutal Systems with a VWIRE

You could setup it this way if you still want to keep the VWIRE (just an example):

VSYS1: int0, int1
VSYS2: int2, int3

and then in the switch before and after your PAN split up which VLAN will be sent through which VSYS like so:

internal-switch (VLAN10) gi0/1 -> PAN int0
internal-switch (VLAN20) gi0/2 -> PAN int2

external-switch (VLAN10) gi0/1 -> PAN int1
external-switch (VLAN20) gi0/2 -> PAN int3

But I would recommend you switch to a layer3 type deployment. Using VWIRE (in my opinion) is more of a IDP/IPS scenario rather than having the PAN taking more decisions regarding what the nexthop should be and stuff like that.

You can still use VSYS with layer3 deployment, actually it will in some way better utilize the interfaces available (comparing to just use a single interface for all traffic connected to the uplink) and it will also minimize rules needed in each VSYS if you for example split up so one VSYS will be for webbrowsing while the other VSYS will be used for handling your regular production based traffic like email, DMZ etc.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!