The L3 subinterface is for router-on-a-stick/trunking configurations. You could use one switch with three different VLANs and trunk them all back to one interface using an ethernet cable. The alternative would be to buy three switches and use three different interfaces on your firewall. It's cost savings/easy configuration/less cabling.
I haven't done anything with a PAN devices in L2 yet. I think you can group interfaces together that way.
You can do this, BUT we do not recommend it for most environments.
Debugging traffic flows is more involved when you set up multiple L2 interfaces and use VLAN interfaces.
Let's take a look at the two scenarios:
L3 interface with multiple 802.1q tagged subinterfaces
sessions on the firewall show up with the subinterfaces as ingress and egress (via the show session info command or via the details on the web UI).
L2 interfaces and VLAN interfaces
sessions on firewall show up with the L2 interfaces as the ingress and egress interface. VLAN interfaces do not show up as ingress or egress interface.
In scenario 1 when you want to verify a traffic flow you check the details on a session to validate that the ingress and egress interfaces are correct.
In scenario 2 you must use the debug commands to debug traffic flow. Using the debug commands is a non-trivial activity and if done improperly can cause resource exhaustion on the dataplane.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!