How to Configure L3 Untagged Subinterfaces to Communicate within Different Zones

Overview

This document provides steps on how to configure Layer 3 untagged subinterfaces.

Steps

1. Go to Network > Interfaces.
2. Select a physical interface.
3. Enable Untagged Subinterface.

   The untagged L3 subinterfaces are designed to work without ip-address on the physical device.

   

4. Create Untagged subinterfaces and assign them a different virtual router and zone.

   The following screenshot shows three L3 subinterfaces configured eth1/6.10, eth1/6.11, and eth1/6.12:

   

   • Subinterface Interface: Ethernet 1/6.10 is assigned a zone L3-Trust
   • Subinterface Interface: Ethernet 1/6.11 is assigned a zone L3-DMZ
   • Subinterface Interface: Ethernet 1/6.12 is assigned a zone L3-Trust
5. Go to Policies > Security to view Security policies for communicating from L3-Trust to L3-DMZ.

   

6. All outgoing traffic from each tenant is source NAT'ed to the subinterface IP address.  Go to Policies > NAT to view the NAT policy for the host 10.10.10.10 behind the subinterface Ethernet 1/6.10 to communicate to host 11.11.11.11 behind subinterface Ethernet 1/6.11.

   

7. Go to Policies > Security to view the Security policies applied for communicating from L3-DMZ to L3-Trust.

   

8. Go to Policies > NAT to view the NAT policy for the host 11.11.11.11 behind the subinterface Ehternet 1/6.11 to communicate to host 10.10.10.10 behind subinterface Ethernet 1/6.10.

   

With the above configuration, the host 10.10.10.10 (behind subinterface Ethernet 1/6.10) can ping host 11.11.11.11 (behind Etherent 1/6.11) and the other way around.

owner: ppatel