PA-5050 8.1.11 Inter Vsys traffic

Reply
Highlighted
L2 Linker

PA-5050 8.1.11 Inter Vsys traffic

Hi all,

 

We got a Palo Alto 5050 active/passive HA configuration with two vsys with a lot of inter-vsys traffic.

Our DP1 is running at 100% during working hours.

 

I am convinced that the problem is that inter-vsys traffic can't be offloaded to hardware.

 

If i configure physical interface 1 and 2 to vsys1 (L3) and physical interface 3 and 4 to vsys 2 (L3), connect them with a physical cable, aggregate these two links (port-channel) and route inter-vsys traffic over that physical link. Would that be a good practice? Now traffic can be offloaded to HW.

 

Thank u for your feedback!

Highlighted
L4 Transporter

Re: PA-5050 8.1.11 Inter Vsys traffic

Hello @MarcelBolleboom   ,

 

If your environment only have 2 vsys  and it won't get any bigger.  That is one way to resolve the inter-vsys performance issue.   

 

Do you have a diagram that can help us understand the problem?    

 

Have you able to identify the traffic pattern?  Is there a specific zone/subnet in one vsys that all the systems from the other vsys need to access?  

 

 

Highlighted
L2 Linker

Re: PA-5050 8.1.11 Inter Vsys traffic

Hi,

 

Thank u for your reply.


All internet traffic from the LAN uses the inter-vsys connection (red) for internet. Best way to tackle this would be to consolidate the two vsys to one but that would be a large operation.

 

Inter vsys.png

Highlighted
L4 Transporter

Re: PA-5050 8.1.11 Inter Vsys traffic

How is the inter-vsys connection currently setup?    and the proposal fix look like?

Highlighted
L2 Linker

Re: PA-5050 8.1.11 Inter Vsys traffic

Current: Direct inter vsys routing between two vsys on same physical device.

New: Using 4 interfaces (2 per vsys) and aggregate them to form a 2 Gbit link (UTP). SFP 10 Gbit interfaces are all in use. Traffic won't exceed 2 Gbit. Make it a L3 connection.

 

So, direct cables from one interface to another between two vsys on same physical device.

Highlighted
L4 Transporter

Re: PA-5050 8.1.11 Inter Vsys traffic

thanks!  let's us know if the change helps!

Highlighted
L2 Linker

Re: PA-5050 8.1.11 Inter Vsys traffic

i will

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!