This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

configuration help-vwire subinterfaces with different policies per vlans

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

configuration help-vwire subinterfaces with different policies per vlans

Go to solution
pkonitz
L2 Linker

‎04-15-2013 05:28 AM

     Hi all,

Its my first post here so I hope someone can answer my question regarding vwire subinterfaces.

As I was looking through the older topics the thing I want to achieve is similar to this.

https://live.paloaltonetworks.com/message/9679#9679

however I want to use vwire subinterfaces instead of L2.

According to course material it can be done.

Basicly I want to create differnet policies between different zones with vwire subinterface.

switch (trunk - allowed vlans 123,812) -------------- PAN (vwire LAN) ------------- (trunk) cisco ASA

I have 4 zones

Trust-LAN

Trust-NAVIS

Untrust-LAN

Untrust-NAVIS

ScreenShot001.bmp

with this configuration traffic can't pass the PAN (with "none" set as security zone on physical interface)

traffic flows only if the main interfaces has a security zone assigned to it, but then all traffic is considered to be from this zone.

ScreenShot002.bmp

Can I differentiate vwire subinterfaces or not ( I mean zones on subinterfaces)?

thx for help

1 accepted solution

Accepted Solutions

Go to solution
sjodlowski
L0 Member
In response to pkonitz

‎04-17-2013 01:30 AM

Przemek,

Please click on New Virtual Wire and create one for this subinterface. I did it for my PA-200 but can't test if it works as expected.

Seweryn

2013-04-17 10.23.40 am.png

2013-04-17 10.23.17 am.png

View solution in original post

4 REPLIES 4

Go to solution
sjodlowski
L0 Member

‎04-17-2013 12:55 AM

Hello,

Not sure (have not tested yet) but it looks like you did not do a VLAN/vwire config for your subinterfaces?

Regards,

Seweryn

0 Likes Likes

Go to solution
pkonitz
L2 Linker
In response to sjodlowski

‎04-17-2013 01:12 AM

Hi Seweryn,

What do u mean by not configuring a Vlan/vwire on subinterfaces?

As it is written in coursebook subinterfaces inherits vlan/vwire config from main interface. I can set it on the main interface but after that there is no choice for subinterface to have the same vwire assigment (casue this vwire was already used)

from the book:

Note that you do not specify the virtual wire object during the creation of the subinteface. Since the subinterface is built on an existing virtual wire interface, the virtual wire object is inherited from parent interface. However, the subinterface and parent interface can be configured on different zones

I have vwire crated (its called LAN)

ScreenShot008.bmp

have ethernet 1/1 assigned to LAN.

ScreenShot010.bmp

then have no option for subinterface.

ScreenShot009.bmp

But i think this in not the problem. The main issue is that even though I've got different security zones assigned to subinterfaces the traffic flows only when main interfaces is assigned to it as well. As a consequence subinterfaces inherits it from main interface (the proof is in logs) so I cant diferentiate traffic based on ZONES.

regards

Message was edited by: Przemyslaw Konitz

0 Likes Likes

Go to solution
sjodlowski
L0 Member
In response to pkonitz

‎04-17-2013 01:30 AM

Przemek,

Please click on New Virtual Wire and create one for this subinterface. I did it for my PA-200 but can't test if it works as expected.

Seweryn

2013-04-17 10.23.40 am.png

2013-04-17 10.23.17 am.png

Go to solution
pkonitz
L2 Linker
In response to sjodlowski

‎04-17-2013 02:19 AM

great - it worked Smiley Happy

after modifications

ScreenShot011.bmp

ScreenShot012.bmp

so this is not true what the book says  Smiley Happy

Note that you do not specify the virtual wire object during the creation of the subinteface. Since the subinterface is built on an existing virtual wire interface, the virtual wire object is inherited from parent interface. However, the subinterface and parent interface can be configured on different zones


...


The subinterfaces allow you to separate and classify traffic into different zones by either VLAN tags or VLAN tags in conjunction with IP classifiers (address, range, or subnet.)


...

  • the main interface must be on separate vwire object and each one of the subinterfaces as well.
  • No vlan tagging on Vwire !!! only on subinterfaces
  • only then subinterfaces are seen as being on separeted zones

ScreenShot013.bmp

thx Seweryn

hope to be in touch

regards

Przemek

  • 1 accepted solution
  • 6887 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks