Reading this post I thought it was myself asking this same question almost 3 years ago. Up until recently I have had a similar Infrastrucutre (vWire) between our users and our data center to control internal traffic with security policies. While vWire may be "supported" there are definately alot of caveats and are reasons why we are moving to L3 routed interfaces on the Palo Alto. Issues with vWire we expereinced: PAN-OS 7.1.3 - 7.1.17 versions tested Cisco port-channeling (PaGP, LACP) will work over vWire interfaces (if tag0 is allowed), however be prepared for asymetrical traffic to be received on the firewall. Even though we enabled features like allowing non-syn traffic there was odd traffic behaivor an occasion random drops of sessions. Active/Active vWire, along with Cisco port-channeling caused not only asymetrical traffic, but increased TCP response times on traffic. Ever after multiple cases and debug sessions with Palo Alto we were never able to get this resolved so we moved to Active/Passive configuration. Active/Passive vWire, along with Cisco port-channeling, caused issues with failover as we could never get LACP pre-negotiation features to work correctly so there was always a loss of traffic when we failed over. Supposively this was supported in vWire, but we could not get it to work correctly. As of now we are running all of our L3 traffic on PAN-5220 firewalls at the center which allows us to analyze any North-South traffic from any attached subinterface or VLAN, which is working fantasitc Failover via to our passive firewall is working as expected with sub second delay (I lose 1 ping). If I was you I would anylze how much inter-VLAN routing you really need to do in the UCS and decide if you want to hairpin it off of the Palo Alto or create local routing. My opinion, based on the world as it is now, visitibilty is everything. Just my two cents. I hope this helps. -Matt
... View more