https://live.paloaltonetworks.com/t5/general-topics/tagged-subinterfaces-configuration-on-l3-mode/m-p/63724#M38293 <P>Hello,</P><P>I ahve done this and it works really well for me. Not saying its the only way of doing it but for my proposes it works.</P><P>&nbsp;</P><P>Make the interfaces and subinterfaces layer2</P><P>Create layer 3 vlans for the ones that are trunked</P><P>Create a zone for each vlan (make sure to add all the rules and nats that you need)</P><P>&nbsp;</P><P>I use it because it allwos me to control traffic between the vlans, kind of like a collapsed DMZ.</P><P>&nbsp;</P><P>Also if you have a DENY ALL rule at the bottom, it will not allow intrazone traffice so you would need a rule to allow it, i.e. trust&lt;-&gt;trust allow.</P><P>Hope this helps!</P><P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/111iC250D4FCE7172C2F/image-size/original?v=mpbl-1&amp;px=-1" alt="collapsedDMZ.JPG" title="collapsedDMZ.JPG" border="0" /></P> Thu, 27 Aug 2015 16:04:29 GMT OtakarKlier 2015-08-27T16:04:29Z https://live.paloaltonetworks.com/t5/general-topics/tagged-subinterfaces-configuration-on-l3-mode/m-p/63581#M38237 <P>hello;</P><P>&nbsp;</P><P>we work on our organisation to do the migration of the configuration from another firewall to the palo lato networks PA-500 . With the recent architecture the segmentation of the networks is in the switch . But now , we like to do this segmentation in the PA-500 by creation of subinterfaces . we like to do like show the screenshot : a router of trafic from inside to outside that a second router from vlan 10 to inside than another router from vlan 20 to inside . The interface eth1/2 is related with a truk port configured on the switch with tagged vlan 10 and vlan 20.</P><P>&nbsp;</P><P>The problem that the traffic not passe to the subinterfaces! Please correct me if there is any mistake that i make it in my configuration.</P><P>&nbsp;</P><P>Thank you!<IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/70iF4F58F2245A0892F/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="subinterfaces-config.JPG" title="subinterfaces-config.JPG" /></P> Tue, 25 Aug 2015 08:32:26 GMT https://live.paloaltonetworks.com/t5/general-topics/tagged-subinterfaces-configuration-on-l3-mode/m-p/63581#M38237 RCHAIBI 2015-08-25T08:32:26Z https://live.paloaltonetworks.com/t5/general-topics/tagged-subinterfaces-configuration-on-l3-mode/m-p/63582#M38238 <P>You're proably missing VLAN 1 on trunk between switch and PA.</P><P>Besides you're speaking of different (virtual) routers and you have only 1 for all interfaces (vr_vsys1). But that shouldn't be a problem, in fact that should make your life easier.</P><P>&nbsp;</P><P>Hard to tell much more without seeing all configuration and rules.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 25 Aug 2015 09:16:40 GMT https://live.paloaltonetworks.com/t5/general-topics/tagged-subinterfaces-configuration-on-l3-mode/m-p/63582#M38238 santonic 2015-08-25T09:16:40Z https://live.paloaltonetworks.com/t5/general-topics/tagged-subinterfaces-configuration-on-l3-mode/m-p/63587#M38241 <P>Do you also have the security policies setup betwee zones vlan10 to inside; vlan20 to inside; and inside to outside.</P><P>&nbsp;</P><P>You will also need a NAT policy for inside to outside.</P> Tue, 25 Aug 2015 10:41:04 GMT https://live.paloaltonetworks.com/t5/general-topics/tagged-subinterfaces-configuration-on-l3-mode/m-p/63587#M38241 pulukas 2015-08-25T10:41:04Z https://live.paloaltonetworks.com/t5/general-topics/tagged-subinterfaces-configuration-on-l3-mode/m-p/63700#M38286 <P>What kind of switch do you use?</P><P>Is L2 connection brought up?</P><P>I notice you are using default management profile on all interfaces. Normaly I would use profile that allows ping only on such interfaces.</P><P>Can you ping PA interfaces from switch or laptop connected to one of the switch ports?</P><P>If answer is positive to all this, then you will need to have permissive security policy that allows traffic to flow between the zones.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 27 Aug 2015 11:25:15 GMT https://live.paloaltonetworks.com/t5/general-topics/tagged-subinterfaces-configuration-on-l3-mode/m-p/63700#M38286 katavag 2015-08-27T11:25:15Z https://live.paloaltonetworks.com/t5/general-topics/tagged-subinterfaces-configuration-on-l3-mode/m-p/63724#M38293 <P>Hello,</P><P>I ahve done this and it works really well for me. Not saying its the only way of doing it but for my proposes it works.</P><P>&nbsp;</P><P>Make the interfaces and subinterfaces layer2</P><P>Create layer 3 vlans for the ones that are trunked</P><P>Create a zone for each vlan (make sure to add all the rules and nats that you need)</P><P>&nbsp;</P><P>I use it because it allwos me to control traffic between the vlans, kind of like a collapsed DMZ.</P><P>&nbsp;</P><P>Also if you have a DENY ALL rule at the bottom, it will not allow intrazone traffice so you would need a rule to allow it, i.e. trust&lt;-&gt;trust allow.</P><P>Hope this helps!</P><P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/111iC250D4FCE7172C2F/image-size/original?v=mpbl-1&amp;px=-1" alt="collapsedDMZ.JPG" title="collapsedDMZ.JPG" border="0" /></P> Thu, 27 Aug 2015 16:04:29 GMT https://live.paloaltonetworks.com/t5/general-topics/tagged-subinterfaces-configuration-on-l3-mode/m-p/63724#M38293 OtakarKlier 2015-08-27T16:04:29Z https://live.paloaltonetworks.com/t5/general-topics/tagged-subinterfaces-configuration-on-l3-mode/m-p/64015#M38447 <P>Hello;</P><P>&nbsp;</P><P>Thank you very much for all the respenses. It's ok , the configuration now work in Layer 3 by adding a Nat rules in the Palo Alto Networks from a vlan to outside.&nbsp;</P><P>&nbsp;</P><P>I really appreciate all your helps&nbsp;</P><P>&nbsp;</P><P>Thank you!</P> Wed, 02 Sep 2015 15:38:31 GMT https://live.paloaltonetworks.com/t5/general-topics/tagged-subinterfaces-configuration-on-l3-mode/m-p/64015#M38447 RCHAIBI 2015-09-02T15:38:31Z