>
    Strata Copilot
    Configure a Layer 2 Interface, Subinterface, and VLAN
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Configure Interfaces
    4. Layer 2 Interfaces
    5. Configure a Layer 2 Interface, Subinterface, and VLAN
    Download PDF
    Next-Generation Firewall

    Configure a Layer 2 Interface, Subinterface, and VLAN

    Table of Contents

    Configure a Layer 2 Interface, Subinterface, and VLAN

    Configure a Layer2 interface, subinterface, and VLAN for Layer2 switching and traffic separation among VLANs.
    Where Can I Use This?What Do I Need?
    • NGFW
    One of these licenses when using Strata Cloud Manager:
    • Strata Cloud Manager Essentials
    • Strata Cloud Manager Pro
    When your organization wants to divide a LAN into separate virtual LANs (VLANs) to keep traffic and policies for different departments separate, you can logically group Layer 2 hosts into VLANs and thus divide a Layer 2 network segment into broadcast domains. For example, you can create VLANs for the Finance and Engineering departments. To do so, configure a Layer 2 interface, subinterface, and VLAN.
    The firewall acts as a switch to forward a frame with an Ethernet header containing a VLAN ID, and the destination interface must have a subinterface with that VLAN ID in order to receive that frame and forward it to the host. You configure a Layer 2 interface on the firewall and configure one or more logical subinterfaces for the interface, each with a VLAN tag (ID).
    In the following figure, the firewall has four Layer 2 interfaces that connect to Layer 2 hosts belonging to different departments within an organization. Ethernet interface 1/3 is configured with subinterface .1 (tagged with VLAN 10) and subinterface .2 (tagged with VLAN 20), thus there are two broadcast domains on that segment. Hosts in VLAN 10 belong to Finance; hosts in VLAN 20 belong to Engineering.
    In this example, the host at MAC address 0A-76-F2-60-EA-83 sends a frame with VLAN ID 10 to the firewall, which the firewall broadcasts to its other L2 interfaces. Ethernet interface 1/3 accepts the frame because it’s connected to the host with destination 0C-71-D4-E6-13-44 and its subinterface .1 is assigned VLAN 10. Ethernet interface 1/3 forwards the frame to the Finance host.
    Configure a Layer 2 interface with VLANs when you want Layer 2 switching and traffic separation among VLANs. You can optionally control non-IP protocols between security zones on a Layer 2 interface or between interfaces within a single zone on a Layer 2 VLAN.

    Configure a Layer 2 Interface, Subinterface, and VLAN (PAN-OS)

    Procedure for configuring a layer 2 interface, subinterface, and VLAN in PAN-OS and Panroama.
    1. Configure a Layer 2 interface and subinterface and assign a VLAN ID.
      1. Select NetworkInterfacesEthernet and select an interface. The Interface Name is fixed, such as ethernet1/1.
      2. For Interface Type, select Layer2.
      3. Select the Config tab.
      4. For VLAN, leave the setting None.
      5. Assign the interface to a Security Zone or create a New Zone.
      6. Click OK.
      7. With the Ethernet interface highlighted, click Add Subinterface.
      8. The Interface Name remains fixed. After the period, enter the subinterface number, in the range 1 to 9,999.
      9. Enter a VLAN Tag ID in the range 1 to 4,094.
      10. Assign the subinterface to a Security Zone.
      11. Click OK.
    2. Commit.
    3. (Optional) Apply a Zone Protection profile with protocol protection to control non-IP protocol packets between Layer 2 zones (or between interfaces within a Layer 2 zone).
      Configure Protocol Protection.

    Configure a Layer 2 Interface, Subinterface, and VLAN (SCM)

    Procedure for configuring a Layer 2 Interface, Subinterface, and VLAN in Strata Cloud Manager.
    1. Configure a Layer 2 Interface
    2. Add the subinterface. Select (check) the interface you created and Add Sub Interface.
      You can configure a Sub Interface (Layer 2) or a Sub Interface (Layer 3). Before you configure the subinterface, review the zone you want to associate the subinterface with. The interface type and zone interface type must match.
      • Folders and Snippets—Select (check) the interface you created and select Add InterfaceAdd Sub Interface.
      • Firewalls—Select (check) the interface you created and select AddAdd Sub Interface.
    3. Enter the Interface Name.
      The subinterface name is a numeric suffix of the interface that you selected. Supported interface names values are 1—4094.
    4. Enter the VLAN Tag (1—4094).
      For ease of use, use the same number as a numeric suffix for the Interface Name.
    5. (Optional) Enter a Description.
    6. (Folders and Snippets for a Layer 3 subinterface only; Optional) Assign the interface to a Logical Router.
      See Configure a Logical Router for more information.
      Selecting a global router will prompt a message asking if you want to override and remove the inherited objects. Click Yes to confirm.
    7. (Folders and Snippets only; Optional) Assign the subinterface to a Zone.
      Create New to create a new zone. See Zone Protection and DoS Protection for more information.
      Selecting an inherited zone overrides the previous settings and removes any inherited objects. Any changes made to the global folder are no longer inherited in a top-down manner. A message appears, indicating that the interface settings will be overridden and the inherited objects from the parent folder will be removed on all firewalls. When you save your changes, a confirmation message appears. If you confirm, the zone is overridden.
    8. (Layer 3 subinterface only) Configure subinterface IP settings.
      1. Select the interface IP Type.
      • Static IPv4 Address.
        Add the IPv4 IP addresses for the interface.
      • Activate the DHCP Client on the subinterface.
        See Configure an Interface as a DHCPv4 Client for more information on configuring the subinterface as a DHCP client.
    9. Save.
    10. Push Config to push your configuration changes.
    11. Configure a VLAN.
      VLANs support Layer 2 interfaces only.
    12. Enter the Interface Name.
      By default, all VLANs are prefixed with vlan.
    13. (Optional) Enter a Description.
    14. (Folders and Snippets only; Optional) Assign the VLAN to a Logical Router.
      See Configure a Logical Router for more information.
      Selecting a global router will prompt a message asking if you want to override and remove the inherited objects. Click Yes to confirm.
    15. (Folders and Snippets only; Optional) Assign the interface to a Zone.
      Create New to create a new zone. See Zone Protection and DoS Protection for more information.
      Selecting an inherited zone overrides the previous settings and removes any inherited objects. Any changes made to the global folder are no longer inherited in a top-down manner. A message appears, indicating that the interface settings will be overridden and the inherited objects from the parent folder will be removed on all firewalls. When you save your changes, a confirmation message appears. If you confirm, the zone is overridden.
    16. Add the Layer 2 Ethernet Interfaces you created in the previous step.
    17. Configure the VLAN IP settings.
      1. Select the VLAN IP Type.
      • Static IPv4 Address.
        Add the IPv4 IP addresses for the interfaces in the VLAN.
      • Activate the DHCP Client on the VLAN.
        See Configure an Interface as a DHCPv4 Client for more information on configuring the VLAN as a DHCP client.
    18. Save.
    19. Push Config to push your configuration changes.

    © 2025 Palo Alto Networks, Inc. All rights reserved.