This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PA-5050 8.1.11 Inter Vsys traffic

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA-5050 8.1.11 Inter Vsys traffic

MarcelBolleboom
L2 Linker

‎04-22-2020 01:18 AM - edited ‎04-22-2020 01:20 AM

Hi all,

 

We got a Palo Alto 5050 active/passive HA configuration with two vsys with a lot of inter-vsys traffic.

Our DP1 is running at 100% during working hours.

 

I am convinced that the problem is that inter-vsys traffic can't be offloaded to hardware.

 

If i configure physical interface 1 and 2 to vsys1 (L3) and physical interface 3 and 4 to vsys 2 (L3), connect them with a physical cable, aggregate these two links (port-channel) and route inter-vsys traffic over that physical link. Would that be a good practice? Now traffic can be offloaded to HW.

 

Thank u for your feedback!

0 Likes Likes
6 REPLIES 6

nextgenhappines
L4 Transporter

‎04-22-2020 05:06 AM

Hello @MarcelBolleboom   ,

 

If your environment only have 2 vsys  and it won't get any bigger.  That is one way to resolve the inter-vsys performance issue.   

 

Do you have a diagram that can help us understand the problem?    

 

Have you able to identify the traffic pattern?  Is there a specific zone/subnet in one vsys that all the systems from the other vsys need to access?  

 

 

0 Likes Likes

MarcelBolleboom
L2 Linker
In response to nextgenhappines

‎04-22-2020 05:29 AM

Hi,

 

Thank u for your reply.


All internet traffic from the LAN uses the inter-vsys connection (red) for internet. Best way to tackle this would be to consolidate the two vsys to one but that would be a large operation.

 

Inter vsys.png

0 Likes Likes

nextgenhappines
L4 Transporter
In response to MarcelBolleboom

‎04-22-2020 06:30 AM

How is the inter-vsys connection currently setup?    and the proposal fix look like?

0 Likes Likes

MarcelBolleboom
L2 Linker
In response to nextgenhappines

‎04-22-2020 07:00 AM

Current: Direct inter vsys routing between two vsys on same physical device.

New: Using 4 interfaces (2 per vsys) and aggregate them to form a 2 Gbit link (UTP). SFP 10 Gbit interfaces are all in use. Traffic won't exceed 2 Gbit. Make it a L3 connection.

 

So, direct cables from one interface to another between two vsys on same physical device.

0 Likes Likes

nextgenhappines
L4 Transporter
In response to MarcelBolleboom

‎04-22-2020 07:08 AM

thanks!  let's us know if the change helps!

0 Likes Likes

MarcelBolleboom
L2 Linker
In response to nextgenhappines

‎04-22-2020 07:17 AM

i will

0 Likes Likes
  • 4384 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks