- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-19-2023 09:56 PM - edited 03-19-2023 09:58 PM
Hi All,
We have a PA-5220 firewall cluster which has running multiple V-SYS itself. The firewall is connected to the up stream router thru a port channel. On the up-stream router VLAN 10 is allocated to the WAN-IP range. I need to extend that VLAN 10 to the V-SYS A and V-SYS B so I can can assign the respective public IP addresses to the different V-SYS systems. I tried to create sub-interfaced with the same VLAN tag and it was failed. Any one can propose a different approach to resolve this challenge ?
Please refer the attached Diagram for reference.
03-21-2023 02:09 AM
Hi @cloudmansamjay02 ,
I haven't tested this myself but found a discussion on the same topic:
https://live.paloaltonetworks.com/t5/general-topics/subinterfaces-with-same-vlan-tag/td-p/194570
Looks like the same VLAN-ID cannot exist in multiple subinterface under 1 physical interface. As per the last comment in that discussion the only workaround is to create the same VLAN-ID under multiple physical interfaces in order to assign to multiple vsys(es) to the same VLAN.
Hope this helps,
-Kiwi.
03-23-2023 12:51 AM
Hi,
Thank you for the swift response. I have already seen those topic and unfortunately it seems this is a limitation of the Paloalto platform. However, I am looking a workaround to address this issue if anyone can shed some lights.
03-23-2023 01:44 AM
in such a case i'd set the switch to transmit that vlan ID natively (untagged) on the 2 ports used (you will need 2 physical interfaces for this) by the different vsys, that way both vsys are able to access that same network
hope this helps
03-23-2023 09:49 PM
Hi @reaper ,
Thank you very much for your in-put. But connecting it via another physical port is not option at this stage because, we do not have any free physical ports. So in that case, do u think I do not have any other alternatives ?
04-17-2023 04:02 AM
that's going to be tricky and may depend on your switch's ability to have the same vlan native and tagged in the same trunk. if your switch is capable of doing that you could have one tagged and one untagged way into the vlan
the alternative is to configure a 'shared gateway' for the vlan, that will limit your functionality but it will allow multiple vsys access to the same vlan
04-17-2023 07:16 AM
This is an old thread, but I will post my solution in case someone wanders here.
An interface can only be in 1 vsys. See step 3 -> https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/virtual-systems/configure-virtual-systems.
Each vsys will need a separate interface (or LAG for redundancy). Each interface can have as many subinterfaces as needed. In the case above with only 1 connection to the ISP, the customer needs to add a L2 switch to split the 1 connection to 2, very similar to an HA deployment.
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!