I currently have a palo alto that is connected to my switches.
The palo alto is configured as a virtual wire, and the WAN side of the palo alto is connected to VLAN 10, the LAN side is connected to VLAN11
This allows me to quickly move customers in that VLAN in front of or behind the firewall by just changing their access port on the switch.
Now I have another customer range that is using VLAN 20, and I want to create a firewalled VLAN 21 for them.
If I put my virtual wire in trunking mode, is there any way to tell the Palo Alto that VLAN 10 needs to be "patched" to VLAN 11 only, and VLAN 20 needs to be "patched" to VLAN 21 only?
Otherwise my solution obviously is not going to work.
Not sure what you mean by 'patched'. However if you are using multiple vlans, you could use sub-interfaces. I'm sure there is a reason you are using vwire instead of layer2 or 3?
To explain your question about patched, I have vlan 10 which is unprotected (in front of the palo) and vlan 11 which is protected (behind the palo)
So topology wise Switch
VLAN 10 <=> Palo Virtual Wire <=> Switch VLAN 11
Hosts in vlan 10 and vlan 11 use exactly the same IP addressen, and by simply changing the switch port on switch level, I can choose if the host needs to be firewalled yes or no,
The above example allow you to only connect vlan 10 to vlan 11.
Now what if I want to connect VLAN 10 to VLAN 11 and VLAN 20 to VLAN 21 over the same virtual wire
Switch Trunk 10,20 <=> Palo Virtual Wire <=> Switch Trunk 11, 21
Is there any want to tell the virtual wire that VLAN 10 and 11 are connected to eachother, and VLAN 20 and 21.
I hope this clarifies my setup.
Then subinterfaces are the way to go.
Hope that helps.
Thank you for your answer. So today I was looking at how to design and I have a question about the approach
I have interface ethernet1/3 configured as virtual wire with subinterface .500 and .600
I have interface ethernet1/4 configured as virtual wire with subinterface .501 and .601
Vlan 500 and 600 equal the internet/WAN side, vlan 501 and 601 equal the protected/firewall internal/LAN side
All traffic that arrives in VLAN 500 needs to be forwarded to VLAN 501
All traffic that arrives in VLAN 600 needs to be forwarded to VLAN 601
Should I create 2 seperate virtual wires between
1) interface ethernet1/3.500 and ethernet1/3.501
2) interface ethernet1/4.600 and ethernet1/3.601
Or should I create 1 virtual wire between interface ethernet1/3 and interace ethernet1/4, where I will allow vlan 500 and 600 to be trunked.
But in this second case, how am I going to define the flow that traffic from VLAN 500 needs to go to VLAN501?
Hope my question is clear.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!