Connect same VLAN to multiple V-SYS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Connect same VLAN to multiple V-SYS

L1 Bithead

Hi All,

 

We have a PA-5220 firewall cluster which has running multiple V-SYS itself. The firewall is connected to the up stream router thru a port channel. On the up-stream router VLAN 10 is allocated to the WAN-IP range. I need to extend that VLAN 10 to the V-SYS A and V-SYS B so I can can assign the respective public IP addresses to the different V-SYS systems. I tried to create sub-interfaced with the same VLAN tag and it was failed. Any one can propose a different approach to resolve this challenge ?

 

Please refer the attached Diagram for reference. 

6 REPLIES 6

Community Team Member

Hi @cloudmansamjay02 ,

 

I haven't tested this myself but found a discussion on the same topic:

https://live.paloaltonetworks.com/t5/general-topics/subinterfaces-with-same-vlan-tag/td-p/194570

 

Looks like the same VLAN-ID cannot exist in multiple subinterface under 1 physical interface.  As per the last comment in that discussion the only workaround is to create the same VLAN-ID under multiple physical interfaces in order to assign to multiple vsys(es) to the same VLAN.

 

Hope this helps,

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi,

 

Thank you for the swift response. I have already seen those topic and unfortunately it seems this is a limitation of the Paloalto platform. However, I am looking a workaround to address this issue if anyone can shed some lights.

Cyber Elite
Cyber Elite

in such a case i'd set the switch to transmit that vlan ID natively (untagged) on the 2 ports used (you will need 2 physical interfaces for this) by the different vsys, that way both vsys are able to access that same network

 

 

hope this helps

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L1 Bithead

Hi @reaper ,

 

Thank you very much for your in-put. But connecting it via another physical port is not option at this stage because, we do not have any free physical ports. So in that case, do u think I do not have any other alternatives ?

Cyber Elite
Cyber Elite

that's going to be tricky and may depend on your switch's ability to have the same vlan native and tagged in the same trunk. if your switch is capable of doing that you could have one tagged and one untagged way into the vlan

 

the alternative is to configure a 'shared gateway' for the vlan, that will limit your functionality but it will allow multiple vsys access to the same vlan

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Cyber Elite
Cyber Elite

This is an old thread, but I will post my solution in case someone wanders here.

 

An interface can only be in 1 vsys.  See step 3 -> https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/virtual-systems/configure-virtual-systems.

 

Each vsys will need a separate interface (or LAG for redundancy).  Each interface can have as many subinterfaces as needed.  In the case above with only 1 connection to the ISP, the customer needs to add a L2 switch to split the 1 connection to 2, very similar to an HA deployment.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 3961 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!