Palo Alto Networks Knowledgebase: Error When Specifying a Tag for VWire Subinterfaces
Error When Specifying a Tag for VWire Subinterfaces
Created On 02/07/19 23:36 PM - Last Updated 02/07/19 23:36 PM
Mobile Network Infrastructure
When adding a tag in a Virtual Wire with VWire subinterfaces, the following error appears:
-> tag-allowed constraints failed : cannot specify tag allowed with ethernet sub-interface
Create a VWire (vwire1), at Network > Virtual Wire, with two subinterfaces and specify tags in the Tags Allowed field. This will cause the following error to appear:
Follow the steps below to configure VWire and VWire subinterfaces to allow tagged traffic on those subinterfaces.
Go to Network > Interfaces and create two VWire Interfaces. For example:
Create VWire subinterfaces as shown in the following examples:
ethernet1/1.1 and ethernet1/2.1 with tag 1 (To allow traffic with tag 1)
ethernet1/1.2 and ethernet1/2.2 with tag 2 (To allow traffic with tag 2
Go to Network > Virtual Wires and create a parent VWire (default VWire in this example) with primary VWire interfaces (ethernet1/1 and ethernet1/2) and specify all the tags allowed, except the tags that are being specified on the VWire subinterfaces (tags 1,2).
Create VWires for the subinterfaces, but do not specify anything in the Tags Allowed field. Leave the Tags Allowed field blank. In this example, a default VWire (parent VWire) was created and specified tags 3 - 4094, leaving the tags used by the subinterfaces (1, 2). VWire1 and vwire2 were also created and have subinterfaces. Leave the Tags Allowed field blank. In this example, traffic with tag 3-4094 will go through default VWire and traffic with tag 1 and tag 2 will go through vwire1 and vwire2.
Note: The VWire subinterfaces tags should not exist on the parent VWire's tag allowed list.
In the previous example, tag 1 and tag 2 should not exist on default VWire. If the tag for the VWire subinterface already exists on the parent VWire, a commit error will display as shown below: