Active Active Vwire IPS - PA
Hello, how are you, as always thanks for the support.
A client wants to remove their IPS tipping point and place their PA 1410 there, which only uses 3 L3 interfaces, due to load issues, performance everything is fine, it uses hopefully 1 to 6% of the load.
Currently their PA-1410 are HA active/passive, they told me that their IPS are also active/passive but now that I review and validate them, they are not active passive, but active/active because traffic passes in real time through each of them, then they are active/active because functional and operational traffic passes through both devices.
The IPS are in the middle of their switch cores, which both connections are generating traffic.
Now seeing this, a Palo Alto Active Passive model is not useful for me to put as a Vwire type IPS since I will have to:
In one PA, for example, put 2 interfaces and a vwire, in another PA put 2 Vwire interfaces, to interconnect each one with each core switch that both are forwarding traffic. But in the event of a failure on the IPS part, the Active / active of the L3 interfaces will work, because those interfaces are mirrored but those of the vwire, there will be a block in one PA and the other vwire block in the other PA.
The thing is that I must then first pass the PAs from active/passive to active to active from what I see.
Then I have my doubt on another point, in the trunk that passes there is a vlan, 100,200,300,350 and vlan "1" not tagged, is it possible to create a vwire with subinterfaces and leave VLAN 1 untagged?
As always, thank you for your time, comments, tips and collaboration.
Kind regards
you can have subinterfaces for each tagged vlan (base interface is untagged) and thus apply different zones for each vlan
or you can put everything onto a single interface (no subinterfaces) but then you have the same zones for all flows/vlan tags