Nominated Discussion: VLAN Confusion

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
Community Team Member
100% helpful (1/1)

This Nominated Discussion Article is based on the post "VLAN Confusion" by @bgre033 and responded to by @seb_rupik  and @Raido_Rattameister . Read on to see the discussion and solution!


I’ve recently got a PA-440, and trying to make sense of the VLAN logic on PAN-OS has got me stumped.

First of all, I get creating a layer 3 sub interface and assigning a VLAN tag, easy. A bit odd that the 'tag' doesn't then show up as a VLAN under Network > VLANs, but I can let that slide.


It's an access port where things really don't make sense. I follow the steps below, and even though it works it just doesn't make sense.


  1. Mark an interface as layer 2, and assign a layer 2 zone to it, ok.
  2. Create a VLAN (Network > VLANs) - sure, but you don’t specify a VLAN ID, just a name. What is the point of this construct?
  3. Assign created VLAN (from step 2) to the physical layer 2 interface - again, ok, but given the VLAN hasn’t got an ID, does this achieve anything?
  4. Create a VLAN Interface (with an ID between 1-9999) and assign a VLAN to it. I assume this is like an SVI, but I don’t need a layer 3 VLAN interface, why is this necessary? Also, it seems like the ID is meant to be the VLAN tag (but the range is not right, 1-9999 rather than 1-4094)?

I'm hoping someone can explain this to be, as the documentation isn't clear.

  1. What is the point of VLANs under Network > VLANs? Given you don't specify a VLAN ID.
  2. Is the ID under the VLAN interface actually a VLAN tag, rather than an interface ID? If so, why is the range 1-9999 (rather than 1-4094)?


While I do use L3 sub-interfaces for normal traffic, I did need L2 for PPPoE tagging as it's not natively supported. This was in the end configured as per, but while working through this I needed some clarifications.


Palo Alto has taken the approach of decoupling the VLAN ID from the VLAN virtual-bridge construct. When you create a VLAN object under Network -> VLAN, the name is the UID not a VLAN ID as would be the case on a cisco. The object you create here is a virtual-bridge which is used to bind the various Layer 2 interfaces defined Network -> Interfaces -> Ethernet and a single SVI under Network -> Interfaces -> VLAN.


The ID number which is required by a sub-interface or VLAN/SVI interface is arbitrary. The tag number, which is selected under the sub-interface, is the VLAN ID and is used for the 802.1Q encapsulation. The sub-interface ID and tag number do not have to match, but it can help with readability!


It is worth noting that this decoupling of VLAN ID from the VLAN object means that sub-interfaces, which uses different 802.1Q tags, can use the same VLAN virtual-bridge effectively performing VLAN tag rewriting.





This would suggest that an access port cannot exist (for example) in VLAN 20 unless a sub-interface has been created with tag '20' and both of these objects have been associated with a VLAN object (Network > VLAN)? Suppose this doesn't really matter, as an access port VLAN ID isn't relevant unless a trunk port exists somewhere on the said device (which it won't unless sub-interfaces have been created).


Finally, I take it a VLAN sub-interface (Network > Interfaces > VLAN) isn't needed unless inter-VLAN routing is required?


It is always easier to set interfaces in Layer3.  The main interface will be untagged and sub-interfaces will tag packets.


  • Layer2 makes sense only if you deploy firewalls in small office with few devices and you don't have a dedicated switch (all devices connect directly to Palo) and you need multiple interfaces to be in same subnet/vlan
  • Other reason to use Layer2 is if you have existing setup. Let's say a web server and database servers were historically deployed in a single VLAN. You want to separate them and place a firewall in between

What you can do is connect web server and database server directly to the PA Firewall. Set the firewall interfaces in Layer2 and create a policy in between to permit only specific traffic. As a result, no re-IP needed but security posture improved.


Once you configure a Layer2 sub-interface you are creating a trunk link and 802.1q will be enabled, using the 'tag' value as the VLAN ID on the encapsulated frame. An access port doesn't really need a VLAN tag, as it is never imposed on the frame, they arrive and leave untagged.  The VLAN tag/ID is there purely to identify which virtual-bridge the frames belong to.


The object created under Network -> Interfaces -> VLAN is not a sub-interface. I understand the confusion as it prepends a digit to the interface name. The interface here is a SVI/IRB . If you have configured your firewall interfaces all as Layer2, then yes you will need these for inter-VLAN routing. You can have a mix of routed Layer 3 interfaces (dedicated or sub-interface) and VLAN interfaces for inter-VLAN routing, depending on your topology.


Once you get to PAN-OS 11.x you can configure PPPoE on sub-interface.




Rate this article:
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎04-04-2023 10:56 AM
Updated by: