How to Configure L3 Untagged Subinterfaces to Communicate within Different Zones in Palo Alto

Overview

This document provides steps on how to configure Layer 3 untagged subinterfaces.

Steps

1. Go to Network > Interfaces.
2. Select a physical interface.
3. Enable Untagged Subinterface.
   The untagged L3 subinterfaces are designed to work without ip-address on the physical device.
   
4. Create Untagged subinterfaces and assign them a different virtual router and zone.
   The following screenshot shows three L3 subinterfaces configured eth1/6.10, eth1/6.11, and eth1/6.12:
   
   • Subinterface Interface: Ethernet 1/6.10 is assigned a zone L3-Trust
   • Subinterface Interface: Ethernet 1/6.11 is assigned a zone L3-DMZ
   • Subinterface Interface: Ethernet 1/6.12 is assigned a zone L3-Trust
5. Go to Policies > Security to view Security policies for communicating from L3-Trust to L3-DMZ.
   
6. All outgoing traffic from each tenant is source NAT'ed to the subinterface IP address.  Go to Policies > NAT to view the NAT policy for the host 10.10.10.10 behind the subinterface Ethernet 1/6.10 to communicate to host 11.11.11.11 behind subinterface Ethernet 1/6.11.
   
7. Go to Policies > Security to view the Security policies applied for communicating from L3-DMZ to L3-Trust.
   
8. Go to Policies > NAT to view the NAT policy for the host 11.11.11.11 behind the subinterface Ehternet 1/6.11 to communicate to host 10.10.10.10 behind subinterface Ethernet 1/6.10.
   

With the above configuration, the host 10.10.10.10 (behind subinterface Ethernet 1/6.10) can ping host 11.11.11.11 (behind Etherent 1/6.11) and the other way around.