The diferent is similar like a router on-stick versus un SVI.

I'm prefer use subinterface tagging

This link es very helpful

https://faatech.be/inter-vlan-routing-with-palo-alto-firewalls/

Cheers

Hello all,

router on a stick is only a use case.

A reason why you would prefer VLAN interface is if you have multiple L2 interfaces for instance.

I took note of the suggestion thanks.

Olivier

The VLAN Interface option adds routing functionality to the group as a logical Layer 3 interface. This can be useful if you have an upstream ISP router, or a different subnet connected to a Layer 3 interface that you need to interact with. You will also need to assign the VLAN interface an IP address that the clients on Layer 2 interfaces can use as a default gateway or routing next hop.

A Subinterface is used when the physical interface is connected to a trunked link containing VLAN (802.1Q) tagged packets. The physical interface is not able to interpret the tags, but Subinterfaces are. For each VLAN carried by the trunk, you can create a Subinterface to represent the virtual network coming from the switch. The advantage of using Subinterfaces is that each VLAN can be associated with its own security zone.

The Subinterface will mimic all the configuration specifics of its parent physical interface, but interface types cannot be different from the physical interface type (for example, a Layer 3 physical interface cannot host a Layer 2 Subinterface).