Virtual Wire Subinterfaces
Table of Contents
Virtual Wire Subinterfaces
You can create subinterfaces on a virtual wire and then
apply different policies to different traffic zones based on VLAN
tags. You can further separate traffic using IP classifiers based
on a source IP address, range, or subnet.
Virtual wire deployments can use virtual wire subinterfaces
to separate traffic into zones. Virtual wire subinterfaces provide
flexibility in enforcing distinct policies when you need to manage
traffic from multiple customer networks. The subinterfaces allow
you to separate and classify traffic into different zones (the zones
can belong to separate virtual systems, if required) using the following
criteria:
- VLAN tags—The example inVirtual Wire Deployment with Subinterfaces (VLAN Tags only)shows an ISP using virtual wire subinterfaces with VLAN tags to separate traffic for two different customers.
- VLAN tags in conjunction with IP classifiers (address, range, or subnet)—The following example shows an ISP with two separate virtual systems on a firewall that manages traffic from two different customers. On each virtual system, the example illustrates how virtual wire subinterfaces with VLAN tags and IP classifiers are used to classify traffic into separate zones and apply relevant policy for customers from each network.
Virtual Wire Subinterface
Workflow |
|---|
|
|
|
IP classification may only be used on the subinterfaces
associated with one side of the virtual wire. The subinterfaces
defined on the corresponding side of the virtual wire must use the
same VLAN tag, but must not include an IP classifier.
Virtual
Wire Deployment with Subinterfaces (VLAN Tags only)
depicts CustomerA
and CustomerB connected to the firewall through one physical interface,
ethernet1/1, configured as a Virtual Wire; it is the ingress interface.
A second physical interface, ethernet1/2, is also part of the Virtual
Wire; it is the egress interface that provides access to the internet.For CustomerA, you also have subinterfaces ethernet1/1.1 (ingress)
and ethernet1/2.1 (egress). For CustomerB, you have the subinterface
ethernet1/1.2 (ingress) and ethernet1/2.2 (egress). When configuring
the subinterfaces, you must assign the appropriate VLAN tag and zone
in order to apply policies for each customer. In this example, the
policies for CustomerA are created between Zone1 and Zone2, and
policies for CustomerB are created between Zone3 and Zone4.
When traffic enters the firewall from CustomerA or CustomerB,
the VLAN tag on the incoming packet is first matched against the
VLAN tag defined on the ingress subinterfaces. In this example,
a single subinterface matches the VLAN tag on the incoming packet,
hence that subinterface is selected. The policies defined for the
zone are evaluated and applied before the packet exits from the
corresponding subinterface.
The same VLAN tag must not be defined on the parent virtual
wire interface and the subinterface. Verify that the VLAN tags defined
on the Tag Allowed list of the parent virtual wire interface ()
are not included on a subinterface.
Virtual
Wire Deployment with Subinterfaces (VLAN Tags and IP Classifiers)
depicts
CustomerA and CustomerB connected to one physical firewall that
has two virtual systems (vsys), in addition to the default virtual
system (vsys1). Each virtual system is an independent virtual firewall
that is managed separately for each customer. Each vsys has attached interfaces/subinterfaces
and security zones that are managed independently.
Vsys1 is set up to use the physical interfaces ethernet1/1 and
ethernet1/2 as a virtual wire; ethernet1/1 is the ingress interface
and ethernet1/2 is the egress interface that provides access to
the Internet. This virtual wire is configured to accept all tagged
and untagged traffic with the exception of VLAN tags 100 and 200
that are assigned to the subinterfaces.
CustomerA is managed on vsys2 and CustomerB is managed on vsys3.
On vsys2 and vsys3, the following vwire subinterfaces are created
with the appropriate VLAN tags and zones to enforce policy measures.
Customer | Vsys | Vwire Subinterfaces | Zone | VLAN Tag | IP Classifier |
|---|---|---|---|---|---|
A | 2 | e1/1.1 (ingress) e1/2.1 (egress) | Zone3 Zone4 | 100 100 | None |
2 | e1/1.2 (ingress) e1/2.2 (egress) | Zone5 Zone6 | 100 100 | IP subnet 192.1.0.0/16 | |
2 | e1/1.3 (ingress) e1/2.3 (egress) | Zone7 Zone8 | 100 100 | IP subnet 192.2.0.0/16 | |
B | 3 | e1/1.4 (ingress) e1/2.4 (egress) | Zone9 Zone10 | 200 200 | None |
When traffic enters the firewall from CustomerA or CustomerB,
the VLAN tag on the incoming packet is first matched against the
VLAN tag defined on the ingress subinterfaces. In this case, for
CustomerA, there are multiple subinterfaces that use the same VLAN
tag. Hence, the firewall first narrows the classification to a subinterface
based on the source IP address in the packet. The policies defined
for the zone are evaluated and applied before the packet exits from
the corresponding subinterface.
For return-path traffic, the firewall compares the destination
IP address as defined in the IP classifier on the customer-facing
subinterface and selects the appropriate virtual wire to route traffic
through the accurate subinterface.
The same VLAN tag must not be defined on the parent virtual
wire interface and the subinterface. Verify that the VLAN tags defined
on the Tag Allowed list of the parent virtual wire interface ()
are not included on a subinterface.