We are looking to deploy our new boxes (PA-3220) in HA in the next few weeks. We are trying to go with best practice methods. Currently, we have an Layer 2 ae interface that has multiple subinterfaces. Each subinterface is tagged with a Layer 3 SVI. The VLAN interfaces are IP'd and added to the Virtual Router. Example - Ethernet Tab: Interface IP Address Tag VLAN Security Zone ae2 none Untagged INTERNAL none ae2.501 none 501 INTERNAL none ae2.502 none 502 DMZ1 none ae2.503 none 503 DMZ2 none ae2.504 none 504 DMZ3 none VLAN Tab: Interface IP Address Virtural Router Tag VLAN Security Zone vlan none none vlan.501 10.1.1.1/24 VR1 Untagged INTERNAL INTERNAL vlan.502 172.16.1.1/24 VR1 Untagged DMZ1 DMZ1 vlan.503 192.168.1.1/24 VR1 Untagged DMZ2 DMZ2 vlan.504 172.17.1.1/24 VR1 Untagged DMZ3 DMZ3 My question is, should we have the above setup or should we just have the ae interface as layer 3 with subinterfaces and tagged VLANs across that interface? Thank you for your insight.
... View more