07-11-2012 09:50 PM
We have an SSG 320 in transparent mode. It needs to pass serveral different VLAN tags from the untrusted side to the trusted side. I've figured out how to do that with:
set interface vlan1 vlan trunk
However, once I put the firewall in place, I can no longer get to the VLAN1 interface for managment. I assume that's because I need to be tagging the traffic to/from the VLAN1 interface, but I don't know how to do that. I can't find a way to directly assign a VLAN tag to VLAN1, so I assume some kind of sub interface needs to be added, but I can't create "interface vlan1.600" which is the tag we'd need for the IP subnet assigned to the VLAN1 IP interface.
Any help on this would ge greatly appreciated. I'm sure it's something simple I'm missing.
07-12-2012 01:44 AM
I dont know if this is the same on the 320 as I have only set this up for VLANs on the 5, 20 and 140, however, it is achieved on these through the interface level as follows:-
1: Network / Interfaces / List
2: Top right hand corner there is a drop down list, choose Sub-if and click "New"
3: Interface name (Whatever the sub interface is (remember this has to be a sub of the main interface you are utilising)
4: Zone name (Whatever zone you are placing the interface in - important for the policy rules)
5: IP Address and netmask (Whatever your addresses and masks are)
6: VLAN Tag (This is where you place your vlan tag for the trunk)
Then complete the rest as you want to complete it.
Hope this helps, if not, say what else is causing problems.
07-12-2012 03:22 AM - edited 07-13-2012 02:35 AM
adgwytc lists the correct procedure but your issue is that the vlan1 interface is a special one just for managment access on the device. You cannot use this interface for transit traffic sub-interfaces.
You will create the sub-interfaces on the physical port that is connected to your switch trunk port.
Also note that the sub-interface number is NOT the vlan tag but just an internal number for screenOS to track them. They start a 1 and there is a limit on large this can be by device. The tag is explicitly configured as a separate parameter.
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCDA JNCDS-DC JNCDS-SEC
ACE PanOS 6