02-01-2019 09:17 AM
Hi All.
I am in a postion that we would like to migrate our current cconfiguration of multiple trunk 10g links supporting a vlan with subinterfaces and vsys's to virtual wire mode on the existing chassis, (i.e. 7050, or 5060).
As I understand it, we would need at least 2 interfaces for each trunk for both sides of the vwire, and then have matching subinterfaces under these vwire interfaces for each individual vlan. Since we would like to migrate vlan by vlan, is there a way that this is possible?
For instance: current configuration 7050: 4-10g interfaces trunked for a single vrf, with multiple subinterface for indiviudal vlans and associated vsys's that support client servers etc(can think is as a client dmx) and another 4-10g interface trunk for the internal network side. The vsys have a interfaces one on the client vlan and one on the internal vlan.
Since I am knew to virtual wire, but not Palo in general, what would be the best course of proceeding to migrate individual vsys/vlans to a vwire configuration.
I assume we would need at least 2 10g interfaces 1 for client vlan, and 1 for internal to start with, and as we move we can add additional 10g interfaces to both sides to increase the available bandwidth needed?
Any help would be appreciated. I have read most of the KB articales but they all seem to be directed to a single 1 to 1 interface.
Also what if we have a vsys that had internet were we do not wish to vwire internet but the other would be client side and internal, I expect that we could not have vwire in this scenario based on what I have researched.
Thank you in advance for any help.
02-04-2019 03:36 AM
So just to make sure I understand you correctly, you currently have 2*4 10G trunks in L2 mode which you want to switch over to VWire mode
You'd need to start off by setting up at least 2 10G interfaces which you'd set to vwire and then move over the VLAN one by one, adding additional interfaces as you near the vwire'sthroughput capacity
One hurdle would be your security/NAT policies, as you'd either need to accomodate for new zones to be added, or re-use the current zones by editing the config file manually or using the expedition tool (simply 'switching' the zone over by renaming the old L2 zone and creating a new vwire zone using the old name, would also rename them in the security policy)
In regards to your internet, you would need to have an additional trunk/link to be used for internet, but this can be set up as a router-on-a-stick (routing between vlans on the same physical link) and either allow the 'other' network to access internet via the vwire (ie 'hop' over the vwire and then up the L3), or connect another L3 trunk that gets access to the internet
hope this helps
02-11-2019 10:56 AM
Thank you for the reply. I hope I can explain this correctly without having to provide the entire layout.
What we currently have are PA-7050's with mutiple layer 3 trunks for different VDC, using multiple 10g ports across multiple NPC's. We have 4-different VDC all have 4-10gb ports across 4 NPC's trunked with mulitiple sub-interfaces for each vlan and some vsys's with both interfaces on same VDC trunk with different sub-interfaces, and other vsys's with with interfaces on separate VDC trunks and subinterfaces.
What we want to do is move to vwire on the same chassis for all of the vsys etc to take the firewalls out of routing decisions.
We do have only 4 10g ports available.
As I understand how it will work is to use the 4 available 10g ports as trunks for each VDC. Move each vsys; and subinterfaces to the appropriate new 10g VDC.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
