- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-22-2014 03:14 AM
Hello.
I want to make the following network-diagram. Is it possible?
A Cisco Nexus Paloalto
VRF-1 ----------------------> eth1/1.1 | 1.1.1.1 | VR : default | trust
tag 10 |
|
VRF-2 <--------------------- eth1/1.2 | 2.2.1.1 | VR : default | untrust
tag 20
1. Traffics go into sub-interface eth1/1.1 with tag 10.
2. FW process routing and policing.
3. Traffics go out from sub-interface eth1/1.2 with tag 20.
Two sub-interfaces are on same physical interface.
Thanks,
KC Lee
10-22-2014 06:31 AM
Hello Cheon,
Yes this is possible. You have to make sure the following are in place:
-Layer3 subinterface eth1/1.1 configured for tag 10 , zone-x, ip-1.1.1.1/netmask
-Layer3 subinterface eth1/1.2 configured for tag 20 , zone-y, ip-2.2.1.1/netmask
-Security rules allowing traffic between zone x and y as required.
-optional-any other policies like nat etc.
Regards,
Dileep
10-22-2014 03:22 AM
Hi,
I think it is possible to work because sub-interfaces are different interface logically with tag number.
Thanks.
Regards,
Roh
10-22-2014 06:31 AM
Hello Cheon,
Yes this is possible. You have to make sure the following are in place:
-Layer3 subinterface eth1/1.1 configured for tag 10 , zone-x, ip-1.1.1.1/netmask
-Layer3 subinterface eth1/1.2 configured for tag 20 , zone-y, ip-2.2.1.1/netmask
-Security rules allowing traffic between zone x and y as required.
-optional-any other policies like nat etc.
Regards,
Dileep
10-22-2014 07:47 AM
Hi Cheon,
Its very much possible, too many customer has this implementation. Good thing is you dont have to configure any special routing because both the interfaces on PANW are on same VR.
Refer following document on sub-interfaces
How to Create Tagged Sub-Interfaces
Regards,
Hardik Shah
10-22-2014 10:22 AM
Also you can read Securing Inter VLAN Traffic for further information.
10-22-2014 06:59 PM
Wow~.
Thank you very much~ Roh, dreputi, hshah, panos.
My worry is broken by you and get good energy.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!