Untagged Subinterfaces (L3)
PAN-OS 4.0 introduced a new form of layer 3 subinterface known as an untagged subinterface. Untagged subinterfaces are used in multi-tenant environments where each tenant's traffic must leave the firewall without VLAN tags. Consider one example where each tenant's traffic egresses the firewall where the next hop is an ISP router. It is not always possible to apply a VLAN tag on the return traffic for proper classification into a virtual system by the firewall. In these cases, an untagged subinterface can be used on the ISP-router facing side.
Each untagged subinterface will have an IP address and all outgoing traffic from each tenant will be source NAT'd to that interface IP address. An explicit NAT rule must be created for this feature to function. Source NAT is required on the untagged subinterfaces because the firewall will use the destination IP address on inbound (return path) packets to select the appropriate virtual system for policy lookup. Any traffic received on the parent interface that isn't destined for one of the untagged subinterface IPs will be handled by the virtual system and virtual router assigned to that parent interface.
- Enable untagged subinterfaces by selecting the "Untagged subinterface" checkbox on the physical interface to which the subinterfaces will belong.
- Create subinterfaces on the ISP-facing physical interface.
- Create source NAT rules (dynamic IP and port) in the tenant's virtual system to translate all outgoing packets to the interface address on the untagged subinterface.