Aggregate two physical ports and share amongst multiple VSYS?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Aggregate two physical ports and share amongst multiple VSYS?

L3 Networker

We have an old fashioned flat network layout.  We are looking at a significant network redesign and part of that is doing a proper security architecture and separating our servers from our userbase and separating server tiers (e.g. web, application, database) from each other.  We also are a government that has several different verticals (e.g. health, public safety, public works, education) and we plan to design the network with these verticals being quasi-separate from each other.

 

In order to accomplish this, we are looking at acquiring a couple PA-5060 devices to put into an active/passive HA pair and then creating multiple VSYS inside the 5060, one for each service vertical (plus a general one).

 

Our network architect had a question regarding the capability of the PA-5060 with regards to port aggregation, VSYS, and physical port sharing between VSYS.  Ideally, he would like to aggregate two of the 10 Gb SFP+ ports and have each VSYS be able to use these physical ports.  It's okay if the the method involves the creation of subinterfaces under the aggregate with individual, unique VLAN tags.  For example a logical interface representing two aggregated physical interfaces with 15 subinterfaces, where 5 subinterfaces are assigned to VSYS #1, another 5 subinterfaces assigned to VSYS #2, and the last 5 assigned to VSYS #3 (for example).

 

Is this something that is possible?  It seems like it must be, as the PA-5060 supports up to 225 VSYS.  That would be impossible without some method of sharing physical ports between the VSYS as the 5060 only has 24 physical ports.

 

1 accepted solution

Accepted Solutions

L7 Applicator

You can do what you are planning.  The sub interfaces will get assigned to your vsys or virtual routers and you can share the physical port in the way you propose.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

4 REPLIES 4

L7 Applicator

You can do what you are planning.  The sub interfaces will get assigned to your vsys or virtual routers and you can share the physical port in the way you propose.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Thanks!

Can you please explain how is it possible? I would like to do the same thing. The physical interface can be associated with one vsys only. Also i cannot remove the vsys association from the interface.

The parent aggregate ethernet "AE" group needs to be in one vsys.  You could either:

  1.) don't assign it to a virtual router and/or security zone, and don't give it an ip address... (like picture attached), or

  2.) assign it to a "dummy" vsys 

 

Capture.PNG

  • 1 accepted solution
  • 4932 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!