configuration help-vwire subinterfaces with different policies per vlans

Reply
Highlighted
L2 Linker

configuration help-vwire subinterfaces with different policies per vlans

     Hi all,

Its my first post here so I hope someone can answer my question regarding vwire subinterfaces.

As I was looking through the older topics the thing I want to achieve is similar to this.

https://live.paloaltonetworks.com/message/9679#9679

however I want to use vwire subinterfaces instead of L2.

According to course material it can be done.

Basicly I want to create differnet policies between different zones with vwire subinterface.

switch (trunk - allowed vlans 123,812) -------------- PAN (vwire LAN) ------------- (trunk) cisco ASA

I have 4 zones

Trust-LAN

Trust-NAVIS

Untrust-LAN

Untrust-NAVIS

ScreenShot001.bmp

with this configuration traffic can't pass the PAN (with "none" set as security zone on physical interface)

traffic flows only if the main interfaces has a security zone assigned to it, but then all traffic is considered to be from this zone.

ScreenShot002.bmp

Can I differentiate vwire subinterfaces or not ( I mean zones on subinterfaces)?

thx for help

L0 Member

Re: configuration help-vwire subinterfaces with different policies per vlans

Hello,

Not sure (have not tested yet) but it looks like you did not do a VLAN/vwire config for your subinterfaces?

Regards,

Seweryn

L2 Linker

Re: configuration help-vwire subinterfaces with different policies per vlans

Hi Seweryn,

What do u mean by not configuring a Vlan/vwire on subinterfaces?

As it is written in coursebook subinterfaces inherits vlan/vwire config from main interface. I can set it on the main interface but after that there is no choice for subinterface to have the same vwire assigment (casue this vwire was already used)

from the book:

Note that you do not specify the virtual wire object during the creation of the subinteface. Since the subinterface is built on an existing virtual wire interface, the virtual wire object is inherited from parent interface. However, the subinterface and parent interface can be configured on different zones

I have vwire crated (its called LAN)

ScreenShot008.bmp

have ethernet 1/1 assigned to LAN.

ScreenShot010.bmp

then have no option for subinterface.

ScreenShot009.bmp

But i think this in not the problem. The main issue is that even though I've got different security zones assigned to subinterfaces the traffic flows only when main interfaces is assigned to it as well. As a consequence subinterfaces inherits it from main interface (the proof is in logs) so I cant diferentiate traffic based on ZONES.

regards

Message was edited by: Przemyslaw Konitz

L0 Member

Re: configuration help-vwire subinterfaces with different policies per vlans

Przemek,

Please click on New Virtual Wire and create one for this subinterface. I did it for my PA-200 but can't test if it works as expected.

Seweryn

2013-04-17 10.23.40 am.png

2013-04-17 10.23.17 am.png

L2 Linker

Re: configuration help-vwire subinterfaces with different policies per vlans

great - it worked :smileyhappy:

after modifications

ScreenShot011.bmp

ScreenShot012.bmp

so this is not true what the book says  :smileyhappy:

Note that you do not specify the virtual wire object during the creation of the subinteface. Since the subinterface is built on an existing virtual wire interface, the virtual wire object is inherited from parent interface. However, the subinterface and parent interface can be configured on different zones

...

The subinterfaces allow you to separate and classify traffic into different zones by either VLAN tags or VLAN tags in conjunction with IP classifiers (address, range, or subnet.)

...

  • the main interface must be on separate vwire object and each one of the subinterfaces as well.
  • No vlan tagging on Vwire !!! only on subinterfaces
  • only then subinterfaces are seen as being on separeted zones

ScreenShot013.bmp

thx Seweryn

hope to be in touch

regards

Przemek

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!