topic Re: VSX Shared Vlan Interfaces and ARP Issue in Firewall and Security Management

VSX Shared Vlan Interfaces and ARP Issue

LOcfemia — Tue, 09 Jul 2019 18:28:37 GMT

We are deploying VSX and getting some difficulties implementing it to customer's environment whether we use vSwitch or vRouter.

Both VSes need to have an access to shared vlan interfaces (internal & DMZ). eth5 (internal) has 4 vlans and eth6 (DMZ) has 1 vlan only. I believe vSwitch can have only 1 vlan tag, it seems we don't have other options but to use vRouter or create multiple vSwitch for each vlan.

The second problem is after creating vSwitch and connecting to VS0 (warp link) with the ip address of 10.10.1.254, the gateway or VS0 is not responding to arp request.
"arp who-has 10.10.1.254 tell 10.10.1.210" Clearly, that IP belongs to virtual device.

Did I miss anything? Any suggestion are welcome and appreciated.

I have attached the topology for reference. Thank you.

Re: VSX Shared Vlan Interfaces and ARP Issue

Maarten_Sjouw — Tue, 09 Jul 2019 20:25:58 GMT

For each VLAN you need to connect to more than 1 VS you create a virtual switch, this Virtual switch can also be connected to a VLAN in a trunk port. This is not limited to a physical interface.

Re: VSX Shared Vlan Interfaces and ARP Issue

Kaspars_Zibarts — Wed, 10 Jul 2019 07:54:44 GMT

As said earlier vSwitch can only handle one VLAN. So technically you could spin up 5 vSwitches one for each VLAN. But I struggle to understand the purpose of two firewalls connecting to the same interfaces (all) I understand if they shared one or two, but not all. Seems a bit strange.

ARP issue is probably related to VLAN tagging not set correctly or check your trunk between VSX and next hop