Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Is it possible that traffics go on each other sub-interfaces with same physical interface?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Is it possible that traffics go on each other sub-interfaces with same physical interface?

L4 Transporter

Hello.

I want to make the following network-diagram. Is it possible?

A Cisco Nexus              Paloalto

VRF-1 ----------------------> eth1/1.1 | 1.1.1.1 | VR : default | trust

                 tag 10                                |

                                                          |

VRF-2 <--------------------- eth1/1.2 | 2.2.1.1 | VR : default | untrust

                tag 20


1. Traffics go into sub-interface eth1/1.1 with tag 10.

2. FW process routing and policing.

3. Traffics go out from sub-interface eth1/1.2 with tag 20.


Two sub-interfaces are on same physical interface.


Thanks,

KC Lee

1 accepted solution

Accepted Solutions

Hello Cheon,

Yes this is possible. You have to make sure the following are in place:

-Layer3 subinterface eth1/1.1 configured for tag 10 , zone-x, ip-1.1.1.1/netmask

-Layer3 subinterface eth1/1.2 configured for tag 20 , zone-y, ip-2.2.1.1/netmask

-Security rules allowing traffic between zone x and y as required.

-optional-any other policies like nat etc.

Regards,

Dileep

View solution in original post

5 REPLIES 5

L3 Networker

Hi,

I think it is possible to work because sub-interfaces are different interface logically with tag number. Smiley Happy

Thanks.

Regards,

Roh

Hello Cheon,

Yes this is possible. You have to make sure the following are in place:

-Layer3 subinterface eth1/1.1 configured for tag 10 , zone-x, ip-1.1.1.1/netmask

-Layer3 subinterface eth1/1.2 configured for tag 20 , zone-y, ip-2.2.1.1/netmask

-Security rules allowing traffic between zone x and y as required.

-optional-any other policies like nat etc.

Regards,

Dileep

L6 Presenter

Hi Cheon,

Its very much possible, too many customer has this implementation. Good thing is you dont have to configure any special routing because both the interfaces on PANW are on same VR.

Refer following document on sub-interfaces

How to Create Tagged Sub-Interfaces

Regards,

Hardik Shah

L6 Presenter

Also you can read Securing Inter VLAN Traffic for further information.

L4 Transporter

Wow~.

Thank you very much~ Roh, dreputi, hshah, panos.

My worry is broken by you and get good energy.

  • 1 accepted solution
  • 4580 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!