>
    Configure a Layer 2 Interface, Subinterface, and VLAN
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Networking
    4. Configure Interfaces
    5. Layer 2 Interfaces
    6. Configure a Layer 2 Interface, Subinterface, and VLAN
    Download PDF
    Next-Generation Firewall

    Configure a Layer 2 Interface, Subinterface, and VLAN

    Table of Contents

    Configure a Layer 2 Interface, Subinterface, and VLAN

    Configure a Layer2 interface, subinterface, and VLAN for Layer2 switching and traffic separation among VLANs.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by PAN-OS or Panorama)
    When your organization wants to divide a LAN into separate virtual LANs (VLANs) to keep traffic and policies for different departments separate, you can logically group Layer 2 hosts into VLANs and thus divide a Layer 2 network segment into broadcast domains. For example, you can create VLANs for the Finance and Engineering departments. To do so, configure a Layer 2 interface, subinterface, and VLAN.
    The firewall acts as a switch to forward a frame with an Ethernet header containing a VLAN ID, and the destination interface must have a subinterface with that VLAN ID in order to receive that frame and forward it to the host. You configure a Layer 2 interface on the firewall and configure one or more logical subinterfaces for the interface, each with a VLAN tag (ID).
    In the following figure, the firewall has four Layer 2 interfaces that connect to Layer 2 hosts belonging to different departments within an organization. Ethernet interface 1/3 is configured with subinterface .1 (tagged with VLAN 10) and subinterface .2 (tagged with VLAN 20), thus there are two broadcast domains on that segment. Hosts in VLAN 10 belong to Finance; hosts in VLAN 20 belong to Engineering.
    In this example, the host at MAC address 0A-76-F2-60-EA-83 sends a frame with VLAN ID 10 to the firewall, which the firewall broadcasts to its other L2 interfaces. Ethernet interface 1/3 accepts the frame because it’s connected to the host with destination 0C-71-D4-E6-13-44 and its subinterface .1 is assigned VLAN 10. Ethernet interface 1/3 forwards the frame to the Finance host.
    Configure a Layer 2 interface with VLANs when you want Layer 2 switching and traffic separation among VLANs. You can optionally control non-IP protocols between security zones on a Layer 2 interface or between interfaces within a single zone on a Layer 2 VLAN.
    1. Configure a Layer 2 interface and subinterface and assign a VLAN ID.
      1. Select NetworkInterfacesEthernet and select an interface. The Interface Name is fixed, such as ethernet1/1.
      2. For Interface Type, select Layer2.
      3. Select the Config tab.
      4. For VLAN, leave the setting None.
      5. Assign the interface to a Security Zone or create a New Zone.
      6. Click OK.
      7. With the Ethernet interface highlighted, click Add Subinterface.
      8. The Interface Name remains fixed. After the period, enter the subinterface number, in the range 1 to 9,999.
      9. Enter a VLAN Tag ID in the range 1 to 4,094.
      10. Assign the subinterface to a Security Zone.
      11. Click OK.
    2. Commit.
    3. (Optional) Apply a Zone Protection profile with protocol protection to control non-IP protocol packets between Layer 2 zones (or between interfaces within a Layer 2 zone).
      Configure Protocol Protection.

    © 2025 Palo Alto Networks, Inc. All rights reserved.