Screen OS

Okay, here is what I am trying to accomplish:

I have an SSG-5 with interfaces 0/2-0/5 in a bridge group. Interface 0/2 connects to a Wireless Access Point with one SSID in the native vlan and another (guest) SSID using vlan 20 for a tag. I have created subinterface bgroup0.1 using vlan 20. All of this works.

I also have interface 0/6 connected to a dumb (not vlan aware) switch.

What I would like to accomplish is to make interface 0/6 an access port on vlan 20 and have all of its members talk on vlan 20 but not on the native vlan.

How can I best accomplish this? My initial thought was to join ethernet 0/6 to bgroup0.1 but it is only allowing me to bind ports on bgroup0. Suggestions?

-

Cablemanchris

Hi,

You can simply add e0/6 to bgroup0. Then, any traffic hitting 0/6 with tag=20 will be considered as a part of bgroup0.

But, I see that 0/6 is connected to a dumb switch, so traffic reaching e0/6 will not have any VLAN tag, am I right?

If that is the case, that won't work. The firewall needs incoming traffic to come with a TAG, to identify it as belonging to a sub-interface domain (say e0/6.20 or bg0.20). If there is no tag, then it will be considered to be traffic for the physical interface (e0/6) and dropped.

That is what I am running into. Thank you for the attempt tho...

I was hoping for something along the lines of:

interface ethernet 0/6 mode switchport access vlan 20

Feature request?

I ran into this same limitation.  I ended up deploying an managed switch at the site so we could do the necessary vlan bridging upstream of the SSG.