Getting Started: Layer 3 Subinterfaces

by Community Manager on ‎10-28-2015 02:52 PM - edited on ‎11-17-2015 06:14 PM by (48,921 Views)

I've unpacked my firewall and want to configure VLANs — subinterfaces


Now that your new Palo Alto Networks firewall is up and running, let's look at adding VLAN tags to the mix by creating Layer 3 subinterfaces. Our initial installments in the Get Started series described the first steps after unpacking your firewall and getting it updated and configured in VWire or Layer 3 mode. Check out I've unpacked my firewall, now what? and I've unpacked my firewall and did what you told me, now what? 


There may be several network segments in your organization to segregate user workstations from public webservers. A good way to prevent these networks from communicating with each other is by implementing VLANs on the core switch, preventing hosts located in one VLAN from communicating with hosts in another, without some form of bridge or gateway to connect both virtual networks.


The first configuration we'll look at builds on where we left off in the previous getting started guide. The firewall has Layer 3 interfaces and we're now going to change the trust interface so it can communicate with a trunked switch interface.


The difference between a regular, or access, switchport configuration and a trunked switchport, is that the access port will not tamper with the Ethernet header with any packets, whereas a trunk port will attach a VLAN tag in the form of a IEEE 802.1Q header to packets. This ensures that packets retain VLAN information outside the switch and should be treated as different LAN networks by the next host receiving these packets.


interface GigabitEthernet1/36
 switchport access vlan 100
 switchport mode access
 switchport nonegotiate
 spanning-tree portfast


interface GigabitEthernet1/36
 switchport trunk allowed vlan 100,200
 switchport mode trunk
 switchport nonegotiate
spanning-tree portfast

We'll be switching our configuration from a regular interface to tagged subinterfaces.


1. Creating subinterfaces


The first step is to remove the IP configuration from the physical firewall.

  1. Navigate to the Network tab.
  2. Go to Interfaces on the left pane.
  3. Open the interface configuration.
  4. Navigate to the IPv4 tab.
  5. Select the subnet.
  6. Click Delete.



We can now go ahead and add a subinterface.



In the subinterface configuration, we need to assign an interface number and a tag. The tag needs to match the VLAN exactly, but the interface number may be different. For ease of management, it's best to set it the same id as the VLAN tag. Add the interfaceto the 'default' Virtual Router and assign it to the 'trust' Security Zone.




Next, navigate to the IPv4 tab and add the IP to the interface.



Then navigate to the Advanced tab and set the Management Profile to 'ping.'



Next, we've added a webserver to the network and placed it in VLAN 200 on the switch.



So we'll need to add a second subinterface and set it to VLAN tag 200. We'll also create a new Security Zone so we can apply different security policy to it.



We'll call the new zone 'dmz'



and assign the interface a different IP subnet



and we'll also set the Management Profile to 'ping.'



Your interface configuration should now look similar to this:



2. Reconfigure DHCP


We will now need to move the DHCP server we created last time to the new subinterface.

  1. Navigate to the Network tab.
  2. Open DHCP menu from the left pane.
  3. Open the DHCP configuration for interface ethernet1/2.
  4. Change the Interface to ethernet1/2.100 to match the new subinterface.



3. Create a new NAT policy


The next step is to create a NAT policy to allow hosts on the internet to reach the webserver via the external IP address of the firewall.

  1. Navigate to the Policies tab.
  2. Open NAT configuration from the left pane.
  3. Click Add to create a new NAT policy.




In the Original Packet tab, we set the source and destination zones to untrust, and the destination address to the external IP address of the firewall. The destination zone is untrust because the firewall will try to determine the destination zone of a received packet based on its routing table. In this case, the original destination IP address, before NAT is applied, belongs to the untrust zone.



In the Translated Packet tab, we add the physical IP addres of the webserver.



4. Add security policy


The last step is to create security policies to allow the trust and untrust zone to access the webserver.

  1. Navigate to Policies.
  2. Open the Security policies from the left pane.
  3. Click Add to create a new rule and name it access_to_webserver.


For now, we'll set the source zone to 'untrust.'



We'll set the destination to 'dmz' and the destination address to the external IP of the firewall.



We'll enable application web-browsing.



Enable several security profiles to make sure the webserver is protected from attacks.



Repeat this step for a security policy from the trust zone, so additional applications can be added.



In the destination, we'll set Security Zone 'dmz' and the internal IP address of the webserver.



Add additional applications for management.



Your security policy should now look similar to this:



After you commit this new configuration, interface ethernet1/2 will accept 'tagged' packets for VLAN 100 and 200 and the webserver will become available to the outside world.


Thank you for readingplease leave any comments in the comment section below.





If you've enjoyed this article, please also take a look at the follow-up article:

I’ve unpacked my firewall, but where are the logs?

by ezra.mosomi
on ‎12-16-2015 08:21 AM

Thanks Tom for this nice article.

However i wanted to seek clarificatiom when one is trying to configure a switch that is configured with sub  SVIs that act as default router to the switch which is connected to a router to the external network, which kind of ips can i give the sub interfaces or i just do away with them?.


Below is an excerpt my switch configs..



ip dhcp pool VLAN444
ip dhcp pool VLAN20

ip route     //my external router

interface Vlan20
 ip address
interface Vlan444
 ip address

thanks, anyone with an idea can advise too.






by Community Manager
on ‎12-29-2015 07:39 AM



if your switches are set up with a default route on a VLAN on the switch, you could either remove those IP configurations and put them on the firewall instead, or you could opt to configure your firewall in layer2 mode as I cover in this article: Getting Started: Layer 2 Interfaces which will allow you to keep using your current setup 

by DanielSmith5725
on ‎12-29-2017 11:28 AM

 If I understand the difference between this article and the article linked above, the subinterface setup is the only way to accomplish VLANs on a layer 3 interface, not using the VLAN tab on main interface. That only works with a layer 2 Interface. Is that correct?

Do you also need to setup static routes on the VR used for either L2 or L3?

by Community Manager
on ‎12-29-2017 02:45 PM

That's (partly) correct

A layer3 interface acts like a router interface while a layer2 interface acts like a switch interface

But in both cases you'll need tagged sub interfaces to identify vlan tags 

Layer3 interfaces require routes and need to be added to the Virtual Router while layer2 interfaces don't need routes and can be 'bridged' by creating vlans in the vlan tab


by thekum
on ‎02-19-2018 12:42 AM

I need one subinterface that is native - untag vlan (that does not have a tag).

How can I do that config?

by Community Manager
on ‎02-21-2018 05:40 AM

hi @thekum your physical interface acts as an untagged interface. If you set it up with an IP address in the appropriate network it will function as untagged

by FernandoDiaz
‎07-18-2018 09:08 AM - edited ‎07-18-2018 09:10 AM

@reaper What is the better design? 


Layer-3 Interface with Sub-Interfaces like you details in this article. Or a Layer-2 interface with Layer-2 zone and a Layer-3 Zone with vlan? This setup was described in article:

by Community Manager
on ‎07-19-2018 02:12 AM

hi @FernandoDiaz


The question is really: what is the better design for your environment.


On my home PA-220 I have deployed L2 as this allowed me to keep my network flat (one IP subnet), but still separate my different 'areas'  (wifi, entertainment, backup,..) from eachother (my firewall kind of works like a switch)


In my office I deploy L3 as my DMZ, LAN and Guest network are on different subnets, this is a more rugged design

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community