This document provides steps on how to configure Layer 3 untagged subinterfaces.
Steps
Go to Network > Interfaces.
Select a physical interface.
Enable Untagged Subinterface.
The untagged L3 subinterfaces are designed to work without ip-address on the physical device.
Create Untagged subinterfaces and assign them a different virtual router and zone.
The following screenshot shows three L3 subinterfaces configured eth1/6.10, eth1/6.11, and eth1/6.12:
Subinterface Interface: Ethernet 1/6.10 is assigned a zone L3-Trust
Subinterface Interface: Ethernet 1/6.11 is assigned a zone L3-DMZ
Subinterface Interface: Ethernet 1/6.12 is assigned a zone L3-Trust
Go to Policies > Security to view Security policies for communicating from L3-Trust to L3-DMZ.
All outgoing traffic from each tenant is source NAT'ed to the subinterface IP address. Go to Policies > NAT to view the NAT policy for the host 10.10.10.10 behind the subinterface Ethernet 1/6.10 to communicate to host 11.11.11.11 behind subinterface Ethernet 1/6.11.
Go to Policies > Security to view the Security policies applied for communicating from L3-DMZ to L3-Trust.
Go to Policies > NAT to view the NAT policy for the host 11.11.11.11 behind the subinterface Ehternet 1/6.11 to communicate to host 10.10.10.10 behind subinterface Ethernet 1/6.10.
With the above configuration, the host 10.10.10.10 (behind subinterface Ethernet 1/6.10) can ping host 11.11.11.11 (behind Etherent 1/6.11) and the other way around.