Right now we use a standard vwire with 2 physical interfaces.
We're about to make some hardware changes that means that the vwire input and output will be from/to the same physical switch.
If I have to use 2 interfaces then on that switch I'll just be using two untagged ports from/to the appropriate VLANs on the switch.
But do I have to use 2 physical interfaces? Is it possible to use a single physical interface with subinterfaces (I think that's the magic word?) so the input and output are simply tagged across the one physical link?
Apologies if my terminology is way off here, but hopefully I've explained it well enough, if any clarification is needed please just ask :)
A v-wire requires exactly two physical interfaces.
What you're asking for can be accomplished using a single L2 interface on the firewall and enabling vlan tag rewrite. In essence you are bridging two vlans together.
Thanks, bit confused now as you said it requires two physical interfaces then suggested it can be done with one? :)
If it needs 2 in order to be supported so be it, just frustrating when it's using NICs and all going into the same switch...
You can't use a "virtual-wire" in this scenario, as a v-wire requires exactly 2 interfaces... no more, no less.
You can use an "L2" interface to perform what you're requesting.
They're two different interface modes with different capabilities and limitations.
OK thanks, is there any easy and supported way to combine everything across a single physical link between the switch and the PAN?
Essentially I would have:
L3 interface/subinterface between PAN and switch
L2 interface to inspect
I'm guessing L2 and L3 cannot be mixed on the same physical interfacel which makes sense and hopefully the topology will be changing fairly soon to accomodate this so we don't need to be doing it at all.
VirtualWire is L1 and always requires pair of ports.
Correct, you can't mix L2 and L3 on same interface.
And yes, you can make L2 subinterfaces and assign to different VLANs.
I'm not sure I understant correctly your scenario tho. If you already have L3 (trunk) interface to PA why don't you just move those 2 networks you wish to inspect and secure to PA instead of them being on L3 switch?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!