We have an old fashioned flat network layout. We are looking at a significant network redesign and part of that is doing a proper security architecture and separating our servers from our userbase and separating server tiers (e.g. web, application, database) from each other. We also are a government that has several different verticals (e.g. health, public safety, public works, education) and we plan to design the network with these verticals being quasi-separate from each other. In order to accomplish this, we are looking at acquiring a couple PA-5060 devices to put into an active/passive HA pair and then creating multiple VSYS inside the 5060, one for each service vertical (plus a general one). Our network architect had a question regarding the capability of the PA-5060 with regards to port aggregation, VSYS, and physical port sharing between VSYS. Ideally, he would like to aggregate two of the 10 Gb SFP+ ports and have each VSYS be able to use these physical ports. It's okay if the the method involves the creation of subinterfaces under the aggregate with individual, unique VLAN tags. For example a logical interface representing two aggregated physical interfaces with 15 subinterfaces, where 5 subinterfaces are assigned to VSYS #1, another 5 subinterfaces assigned to VSYS #2, and the last 5 assigned to VSYS #3 (for example). Is this something that is possible? It seems like it must be, as the PA-5060 supports up to 225 VSYS. That would be impossible without some method of sharing physical ports between the VSYS as the 5060 only has 24 physical ports.
... View more