PA-5050 8.1.11 Inter Vsys traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA-5050 8.1.11 Inter Vsys traffic

L2 Linker

Hi all,

 

We got a Palo Alto 5050 active/passive HA configuration with two vsys with a lot of inter-vsys traffic.

Our DP1 is running at 100% during working hours.

 

I am convinced that the problem is that inter-vsys traffic can't be offloaded to hardware.

 

If i configure physical interface 1 and 2 to vsys1 (L3) and physical interface 3 and 4 to vsys 2 (L3), connect them with a physical cable, aggregate these two links (port-channel) and route inter-vsys traffic over that physical link. Would that be a good practice? Now traffic can be offloaded to HW.

 

Thank u for your feedback!

6 REPLIES 6

L4 Transporter

Hello @MarcelBolleboom   ,

 

If your environment only have 2 vsys  and it won't get any bigger.  That is one way to resolve the inter-vsys performance issue.   

 

Do you have a diagram that can help us understand the problem?    

 

Have you able to identify the traffic pattern?  Is there a specific zone/subnet in one vsys that all the systems from the other vsys need to access?  

 

 

Hi,

 

Thank u for your reply.


All internet traffic from the LAN uses the inter-vsys connection (red) for internet. Best way to tackle this would be to consolidate the two vsys to one but that would be a large operation.

 

Inter vsys.png

How is the inter-vsys connection currently setup?    and the proposal fix look like?

Current: Direct inter vsys routing between two vsys on same physical device.

New: Using 4 interfaces (2 per vsys) and aggregate them to form a 2 Gbit link (UTP). SFP 10 Gbit interfaces are all in use. Traffic won't exceed 2 Gbit. Make it a L3 connection.

 

So, direct cables from one interface to another between two vsys on same physical device.

thanks!  let's us know if the change helps!

i will

  • 4382 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!