{"id":1302,"date":"2026-01-28T15:33:47","date_gmt":"2026-01-28T20:33:47","guid":{"rendered":"https:\/\/pressbooks.bccampus.ca\/paloalto\/?post_type=chapter&p=1302"},"modified":"2026-02-19T15:36:04","modified_gmt":"2026-02-19T20:36:04","slug":"subinterfaces-and-vlans","status":"publish","type":"chapter","link":"https:\/\/pressbooks.bccampus.ca\/paloalto\/chapter\/subinterfaces-and-vlans\/","title":{"raw":"2.5 SubInterfaces and Vlans","rendered":"2.5 SubInterfaces and Vlans"},"content":{"raw":"
\r\n

Learning Objectives<\/p>\r\n\r\n<\/header>\r\n

\r\n
    \r\n \t
  • Identify sub interface in Palo Alto<\/li>\r\n \t
  • Configure sub Interfaces<\/li>\r\n \t
  • Separate the traffic in different Vlans<\/li>\r\n<\/ul>\r\n<\/div>\r\n<\/div>\r\n\r\n[caption id=\"attachment_1305\" align=\"aligncenter\" width=\"1125\"]\"\" Figure 2.60: Main scenario[\/caption]\r\n\r\n \r\n
    \r\n\r\n\r\n\r\n\r\n\r\n\r\n
    Table 2.14: IP Addresses list<\/caption>\r\n
    Device<\/strong><\/td>\r\nConfiguration<\/strong><\/td>\r\n<\/tr>\r\n
    Palo Alto<\/td>\r\nEthernet 1\/1: DHCP Client \u2013 Type: Layer3\r\n\r\nEthernet 1\/2: \u2013 Type: Layer3\r\n\r\nManagement: 192.168.1.1\/24\u2013 Type: Layer3<\/td>\r\n<\/tr>\r\n
    WebTerm1-Management<\/td>\r\n192.168.1.2\/24<\/td>\r\n<\/tr>\r\n
    WebTerm2-Vlan6<\/td>\r\nIPV4: 10.6.6.25\/24 \u00a0 GW: 10.6.6.1\u00a0 DNS: 8.8.8.8<\/td>\r\n<\/tr>\r\n
    WebTerm3-Vlan10<\/td>\r\nIPV4: 10.10.10.28\/24 \u00a0 GW: 10.10.10.1\u00a0 DNS: 8.8.8.8<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<\/div>\r\nTo Add subinterfaces, first select Ethernet 1\/ 2 as a Layer 3 and then select Ethernet1\/ 2> Add Subinterface:\r\n
    \r\n\r\n\r\n\r\n\r\n\r\n
    Table 2.15: SubInterfaces<\/caption>\r\n
    InterfaceName<\/strong><\/td>\r\nTag<\/strong><\/td>\r\nVirtual Router<\/strong><\/td>\r\nSecurity Zone<\/strong><\/td>\r\nIPV4<\/strong><\/td>\r\n<\/tr>\r\n
    Ethernet1\/2<\/td>\r\n-<\/td>\r\nDefault<\/td>\r\n-<\/td>\r\n-<\/td>\r\n<\/tr>\r\n
    Ethernet 1 \/2.6<\/td>\r\n6<\/td>\r\nDefault<\/td>\r\nGuest<\/td>\r\n10.6.6.1\/24<\/td>\r\n<\/tr>\r\n
    Ethernet 1\/2.10<\/td>\r\n10<\/td>\r\nDefault<\/td>\r\nSecure<\/td>\r\n10.10.10.1\/24<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<\/div>\r\n\r\n[caption id=\"attachment_1311\" align=\"aligncenter\" width=\"822\"]\"\" Figure 2.61: Sub-interfaces[\/caption]\r\n\r\n \r\n
    \r\n\r\n\r\n\r\n\r\n\r\n
    Table 2.16: Zones<\/caption>\r\n
    Parameters<\/strong><\/td>\r\nValue<\/strong><\/td>\r\n<\/tr>\r\n
    Guest<\/td>\r\nEthernet 1 \/2.6<\/td>\r\n<\/tr>\r\n
    Secure<\/td>\r\nEthernet 1\/2.10<\/td>\r\n<\/tr>\r\n
    Outside<\/td>\r\nEthernet 1\/1<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<\/div>\r\n \r\n\r\nRight click on the Switch> Configure<\/strong>, delete all interfaces except eth0,eth1 and eth 2 and configure the interfaces as below:\r\n
    \r\n\r\n\r\n\r\n\r\n\r\n
    Table 2.17: Switch ports list<\/caption>\r\n
    Port<\/strong><\/td>\r\nVlan<\/strong><\/td>\r\nType<\/strong><\/td>\r\n<\/tr>\r\n
    0<\/td>\r\n1<\/td>\r\nDot1q<\/td>\r\n<\/tr>\r\n
    1<\/td>\r\n6<\/td>\r\nAccess<\/td>\r\n<\/tr>\r\n
    2<\/td>\r\n10<\/td>\r\nAccess<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<\/div>\r\n\r\n[caption id=\"attachment_1308\" align=\"aligncenter\" width=\"686\"]\"\" Figure 2.62: Switch configuration[\/caption]\r\n\r\n1. In Palo Alto, create a default route 0.0.0.0 0.0.0.0 [Default Gateway]\r\n\r\n[caption id=\"attachment_1313\" align=\"aligncenter\" width=\"595\"]\"\" Figure 2.63: static route[\/caption]\r\n\r\n2. Create a Source NAT from Guest to Outside.\r\n\r\n[caption id=\"attachment_1314\" align=\"aligncenter\" width=\"797\"]\"\" Figure 2.64: Source NAT- From Guest to outside[\/caption]\r\n\r\n[caption id=\"attachment_1315\" align=\"aligncenter\" width=\"1020\"]\"\" Figure 2.65: Source NAT- setting Translated IP[\/caption]\r\n\r\n3. Create a Policy from Guest to Outside. Only DNS, Web-browsing, dns-over-https and SSL applications should be allowed.\r\n\r\n[caption id=\"attachment_1316\" align=\"aligncenter\" width=\"1001\"]\"\" Figure 2.66: Set a policy from Guest to Outside[\/caption]\r\n\r\n4. Verify your configuration in Vlan 6. You shouldn\u2019t be able to ping 8.8.8.8. You should be able to reach Talebi.ca.\r\n\r\n[caption id=\"attachment_1324\" align=\"aligncenter\" width=\"952\"]\"\" Figure 2.67: Verify configuration[\/caption]\r\n\r\n5. Create a Source NAT from Secure to Outside\r\n\r\n[caption id=\"attachment_1318\" align=\"aligncenter\" width=\"714\"]\"\" Figure 2.68: Source NAT- Secure to outside zone[\/caption]\r\n\r\n[caption id=\"attachment_1319\" align=\"aligncenter\" width=\"715\"]\"\" Figure 2.69: Source NAT- Translated IP packet[\/caption]\r\n\r\n6. Create a Policy from Secure to Outside. Only Ping,DNS, YouTube, Goolge-base applications should be allowed.\r\n\r\n[caption id=\"attachment_1320\" align=\"aligncenter\" width=\"863\"]\"\" Figure 2.70: Create a policy from Secure to outside zone[\/caption]\r\n\r\n7. Verify your configuration in Vlan 10. You should be able to ping 8.8.8.8. You should be able to reach YouTube.com\r\n\r\n[caption id=\"attachment_1323\" align=\"aligncenter\" width=\"997\"]\"\" Figure 2.71: Verify configuration[\/caption]\r\n\r\n \r\n\r\n \r\n\r\n \r\n\r\n \r\n\r\n \r\n\r\n \r\n\r\n \r\n\r\n \r\n\r\n \r\n\r\n \r\n\r\n \r\n\r\n \r\n\r\n \r\n\r\n \r\n\r\n \r\n\r\n \r\n\r\n ","rendered":"
    \n
    \n

    Learning Objectives<\/p>\n<\/header>\n

    \n
      \n
    • Identify sub interface in Palo Alto<\/li>\n
    • Configure sub Interfaces<\/li>\n
    • Separate the traffic in different Vlans<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
      \"\"
      Figure 2.60: Main scenario<\/figcaption><\/figure>\n

       <\/p>\n

      \n\n\n\n\n\n\n\n
      Table 2.14: IP Addresses list<\/caption>\n
      Device<\/strong><\/td>\nConfiguration<\/strong><\/td>\n<\/tr>\n
      Palo Alto<\/td>\nEthernet 1\/1: DHCP Client \u2013 Type: Layer3<\/p>\n

      Ethernet 1\/2: \u2013 Type: Layer3<\/p>\n

      Management: 192.168.1.1\/24\u2013 Type: Layer3<\/td>\n<\/tr>\n

      WebTerm1-Management<\/td>\n192.168.1.2\/24<\/td>\n<\/tr>\n
      WebTerm2-Vlan6<\/td>\nIPV4: 10.6.6.25\/24 \u00a0 GW: 10.6.6.1\u00a0 DNS: 8.8.8.8<\/td>\n<\/tr>\n
      WebTerm3-Vlan10<\/td>\nIPV4: 10.10.10.28\/24 \u00a0 GW: 10.10.10.1\u00a0 DNS: 8.8.8.8<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

      To Add subinterfaces, first select Ethernet 1\/ 2 as a Layer 3 and then select Ethernet1\/ 2> Add Subinterface:<\/p>\n

      \n\n\n\n\n\n\n
      Table 2.15: SubInterfaces<\/caption>\n
      InterfaceName<\/strong><\/td>\nTag<\/strong><\/td>\nVirtual Router<\/strong><\/td>\nSecurity Zone<\/strong><\/td>\nIPV4<\/strong><\/td>\n<\/tr>\n
      Ethernet1\/2<\/td>\n–<\/td>\nDefault<\/td>\n–<\/td>\n–<\/td>\n<\/tr>\n
      Ethernet 1 \/2.6<\/td>\n6<\/td>\nDefault<\/td>\nGuest<\/td>\n10.6.6.1\/24<\/td>\n<\/tr>\n
      Ethernet 1\/2.10<\/td>\n10<\/td>\nDefault<\/td>\nSecure<\/td>\n10.10.10.1\/24<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
      \"\"
      Figure 2.61: Sub-interfaces<\/figcaption><\/figure>\n

       <\/p>\n

      \n\n\n\n\n\n\n
      Table 2.16: Zones<\/caption>\n
      Parameters<\/strong><\/td>\nValue<\/strong><\/td>\n<\/tr>\n
      Guest<\/td>\nEthernet 1 \/2.6<\/td>\n<\/tr>\n
      Secure<\/td>\nEthernet 1\/2.10<\/td>\n<\/tr>\n
      Outside<\/td>\nEthernet 1\/1<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

       <\/p>\n

      Right click on the Switch> Configure<\/strong>, delete all interfaces except eth0,eth1 and eth 2 and configure the interfaces as below:<\/p>\n

      \n\n\n\n\n\n\n
      Table 2.17: Switch ports list<\/caption>\n
      Port<\/strong><\/td>\nVlan<\/strong><\/td>\nType<\/strong><\/td>\n<\/tr>\n
      0<\/td>\n1<\/td>\nDot1q<\/td>\n<\/tr>\n
      1<\/td>\n6<\/td>\nAccess<\/td>\n<\/tr>\n
      2<\/td>\n10<\/td>\nAccess<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
      \"\"
      Figure 2.62: Switch configuration<\/figcaption><\/figure>\n

      1. In Palo Alto, create a default route 0.0.0.0 0.0.0.0 [Default Gateway]<\/p>\n

      \"\"
      Figure 2.63: static route<\/figcaption><\/figure>\n

      2. Create a Source NAT from Guest to Outside.<\/p>\n

      \"\"
      Figure 2.64: Source NAT- From Guest to outside<\/figcaption><\/figure>\n
      \"\"
      Figure 2.65: Source NAT- setting Translated IP<\/figcaption><\/figure>\n

      3. Create a Policy from Guest to Outside. Only DNS, Web-browsing, dns-over-https and SSL applications should be allowed.<\/p>\n

      \"\"
      Figure 2.66: Set a policy from Guest to Outside<\/figcaption><\/figure>\n

      4. Verify your configuration in Vlan 6. You shouldn\u2019t be able to ping 8.8.8.8. You should be able to reach Talebi.ca.<\/p>\n

      \"\"
      Figure 2.67: Verify configuration<\/figcaption><\/figure>\n

      5. Create a Source NAT from Secure to Outside<\/p>\n

      \"\"
      Figure 2.68: Source NAT- Secure to outside zone<\/figcaption><\/figure>\n
      \"\"
      Figure 2.69: Source NAT- Translated IP packet<\/figcaption><\/figure>\n

      6. Create a Policy from Secure to Outside. Only Ping,DNS, YouTube, Goolge-base applications should be allowed.<\/p>\n

      \"\"
      Figure 2.70: Create a policy from Secure to outside zone<\/figcaption><\/figure>\n

      7. Verify your configuration in Vlan 10. You should be able to ping 8.8.8.8. You should be able to reach YouTube.com<\/p>\n

      \"\"
      Figure 2.71: Verify configuration<\/figcaption><\/figure>\n

       <\/p>\n

       <\/p>\n

       <\/p>\n

       <\/p>\n

       <\/p>\n

       <\/p>\n

       <\/p>\n

       <\/p>\n

       <\/p>\n

       <\/p>\n

       <\/p>\n

       <\/p>\n

       <\/p>\n

       <\/p>\n

       <\/p>\n

       <\/p>\n

       <\/p>\n","protected":false},"author":1562,"menu_order":5,"template":"","meta":{"pb_show_title":"on","pb_short_title":"","pb_subtitle":"","pb_authors":[],"pb_section_license":""},"chapter-type":[],"contributor":[],"license":[],"class_list":["post-1302","chapter","type-chapter","status-publish","hentry"],"part":115,"_links":{"self":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/1302","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters"}],"about":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/types\/chapter"}],"author":[{"embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/users\/1562"}],"version-history":[{"count":16,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/1302\/revisions"}],"predecessor-version":[{"id":1330,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/1302\/revisions\/1330"}],"part":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/parts\/115"}],"metadata":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/1302\/metadata\/"}],"wp:attachment":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/media?parent=1302"}],"wp:term":[{"taxonomy":"chapter-type","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapter-type?post=1302"},{"taxonomy":"contributor","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/contributor?post=1302"},{"taxonomy":"license","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/license?post=1302"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}