- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-01-2021 02:06 AM
Hi
I'm just after a bit of advice.
PA3220 - I have configured an aggregated interface and configured a number of sub-interfaces below this for each individual client - is there a maximum recommended number of sub-interfaces that can be configured below the aggregated interface? I am concerned I have over 20 at the moment and I don't want to hinder the PA performance in any way.
Thanks in advance
Jules
06-01-2021 03:50 AM
Hi @JulianH
There is no recommended maximum for subinterfaces. There are only the specification max numbers for interfaces and subinterfaces which are the following for a PA-3220:
802.1q tags per device | 4,094 |
802.1q tags per physical interface | 4,094 |
Max interfaces (logical and physical) | 4,096 |
As these interfaces are used in PAN-OS to decide where to forward traffic and this is all done in hardware you will not see a performance impact even if you go way above your currently 20 subinterfaces. I personally did not use the interfaces until the specified max so far but at least with more than hundret subinterfaces the firewall forwards the traffic as if there would be only one or two interfaces.
Hope this helps,
Remo
06-01-2021 10:23 AM - edited 06-01-2021 10:23 AM
Hi @JulianH,
Fully aggree with @Remo. I will only add the possibility to reach the maximum capacity if the aggregated interface.
You may want to consider QoS with separate profile for each sub-interface. Unfortunately here you have limit for of 32 different profiles for each sub-interface. Which means if you plan to go with applying QoS (which probably is good idea to limit the posibility one client to consume most of the interface capacity) you will be limited to 32 sub-interfaces.
06-02-2021 08:58 AM
Hello,
Another thing to consider is that the other technologies involved. In Hyper-V for example, you are limited to 32 vlans per interface group.
Regards,
06-01-2021 03:50 AM
Hi @JulianH
There is no recommended maximum for subinterfaces. There are only the specification max numbers for interfaces and subinterfaces which are the following for a PA-3220:
802.1q tags per device | 4,094 |
802.1q tags per physical interface | 4,094 |
Max interfaces (logical and physical) | 4,096 |
As these interfaces are used in PAN-OS to decide where to forward traffic and this is all done in hardware you will not see a performance impact even if you go way above your currently 20 subinterfaces. I personally did not use the interfaces until the specified max so far but at least with more than hundret subinterfaces the firewall forwards the traffic as if there would be only one or two interfaces.
Hope this helps,
Remo
06-01-2021 10:23 AM - edited 06-01-2021 10:23 AM
Hi @JulianH,
Fully aggree with @Remo. I will only add the possibility to reach the maximum capacity if the aggregated interface.
You may want to consider QoS with separate profile for each sub-interface. Unfortunately here you have limit for of 32 different profiles for each sub-interface. Which means if you plan to go with applying QoS (which probably is good idea to limit the posibility one client to consume most of the interface capacity) you will be limited to 32 sub-interfaces.
06-02-2021 08:58 AM
Hello,
Another thing to consider is that the other technologies involved. In Hyper-V for example, you are limited to 32 vlans per interface group.
Regards,
06-03-2021 12:55 AM
Thanks all for the responses - much appreciated
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!