Overlapping Vwires - is it possible?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Overlapping Vwires - is it possible?

L1 Bithead

Got a situation where the deployment requires (in very basic terms):

VWIRE1 = Ethernet1/1 and Ethernet1/2

VWIRE2 = Ethernet1/2 and Ethernet1/3

Now this is not exactly 'standard' practice - but is it possible?

9 REPLIES 9

L5 Sessionator

This is not supported.

BR,

Karthik

L5 Sessionator

No this deployment is not possible as the basic concept behind vwire is if we receive packets on one interface transmit the packet out the interface which belongs to the same vwire .So in your scenario if packet is received on eth1/2 it won't know which interface to transmit it out . And also the fw won't let you select eth1/2 to be part of the 2nd vwire.

L7 Applicator

No, it is not possible.

Reference guide https://live.paloaltonetworks.com/docs/DOC-1165

Thanks

L1 Bithead

Thanks so much for the feedback everyone!!

Cant you do it with 2 different VSYS?

Like so:

--- VSYS1 ( VWIRE1 ( eth1/1 - eth1/2 ) )  --- VSYS2 ( VWIRE2 ( eth1/3 - eth1/4 ) ) ---

--- = physical cable

This way a cable goes into eth1/1, then another cable connects eth1/2 with eth1/3 and finally a third cable goes from eth1/4.

The drawback is of course that you will only have roughly half the number of concurrent sessions (because a single session will eat one entry in VSYS1 and a second entry in VSYS2).

good point,

so what will be the difference if you use 1 vsys 3 cable  and 2 vwires

eth1 eth2

eth3 eth4

connect eth2 and eth3 with a cable ?

Interesting thought that Smiley Happy

Unfortunately dealing with a PA-500 - so no VSYS Smiley Sad

L4 Transporter

Would this work if you used Vwire sub interfaces on the eth1/2 interface?

VWire1 = 1/1 and eth1/2.10

Vwire2 = eth1/2.20 to Eth1/3?

You would essentially add a VLAN tag to the 2.10 interface, send it down to your router, which would then send it back to the FW on a different vlan (routing between vlans, what a concept) then the router forwards the traffic to the 2.20 interface and to eth 1/3?

Thoughts on this from the community please?

Thanks

L1 Bithead

Just a little bit of feedback in resolution of the problem encountered. Basically the actual issue never ended up being overlapping Vwires at all.

The actual issue was that VLANs on the network were not passing through - because the default behaviour of vwires is to allow untagged traffic through, not tagged!

So by going into the configuration of each of the vwires, and setting it to allow all tags, it all worked beautifully Smiley Happy

  • 4407 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!