We have a PA-5220 firewall cluster which has running multiple V-SYS itself. The firewall is connected to the up stream router thru a port channel. On the up-stream router VLAN 10 is allocated to the WAN-IP range. I need to extend that VLAN 10 to the V-SYS A and V-SYS B so I can can assign the respective public IP addresses to the different V-SYS systems. I tried to create sub-interfaced with the same VLAN tag and it was failed. Any one can propose a different approach to resolve this challenge ?
Please refer the attached Diagram for reference.
Hi @cloudmansamjay02 ,
I haven't tested this myself but found a discussion on the same topic:
Looks like the same VLAN-ID cannot exist in multiple subinterface under 1 physical interface. As per the last comment in that discussion the only workaround is to create the same VLAN-ID under multiple physical interfaces in order to assign to multiple vsys(es) to the same VLAN.
Hope this helps,
in such a case i'd set the switch to transmit that vlan ID natively (untagged) on the 2 ports used (you will need 2 physical interfaces for this) by the different vsys, that way both vsys are able to access that same network
hope this helps
that's going to be tricky and may depend on your switch's ability to have the same vlan native and tagged in the same trunk. if your switch is capable of doing that you could have one tagged and one untagged way into the vlan
the alternative is to configure a 'shared gateway' for the vlan, that will limit your functionality but it will allow multiple vsys access to the same vlan
This is an old thread, but I will post my solution in case someone wanders here.
An interface can only be in 1 vsys. See step 3 -> https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/virtual-systems/configure-virtual-systems.
Each vsys will need a separate interface (or LAG for redundancy). Each interface can have as many subinterfaces as needed. In the case above with only 1 connection to the ISP, the customer needs to add a L2 switch to split the 1 connection to 2, very similar to an HA deployment.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!