ScreenOS Firewalls (NOT SRX)
Reply
Visitor
mma3
Posts: 5
Registered: ‎09-01-2009
0
Accepted Solution

NetScreen -- vlan retagging

Hi All,

I am experiencing some problems to configure a NetScreen 5200 FW (ScreenOS=6.2.0r3a.0) to act as a "vlan-retagger".

I consider only a one-to-one vlan mapping and I do not need to have multiple vsys.

did someone know if there is a documentation that address this issue ?

I have already checked the user guide. unfortunately, exemples (in chapter 3 - depicted in page 71, 72 and 73) seems to be incomplete.

I will appreciate any help ;(

 

many thanks in advance.

 

rgds

--

 

Super Contributor
arizvi
Posts: 287
Registered: ‎10-21-2008
0

Re: NetScreen -- vlan retagging

Vlan retagging only supports in Transparent Mode.

Unfortunately I am unable to find the complete doc with example , but I think it is good to start with that doc.

 

Thanks

Atif

Visitor
mma3
Posts: 5
Registered: ‎09-01-2009
0

Re: NetScreen -- vlan retagging

Hi,

 

thank you Atif for you presence...

I have fixed "partially" this issue...

 

both FW ports are running in Transparent Mode.

below is a partial view of my lab topology:

 

                                                           +------------+

 towards L3SW (port A)   <-------------|  ns5200  |------------->  towards L3SW (port B)

                                                           +------------+

 

L3SW is my layer 3 switch

 

when configuring the remote ports of my L3SW  as "trunk links" ---> it does not work

when I configure these remote ports in "access mode" ---> it works

 

the thing is that I need to configure these links as "trunk" because I will use mutiple vlans over each physical link

so the question is: how to put local ports (of the FW) in "trunk mode" ?

I already tried the command  "set interface vlan1 vlan trunk ". but it was rejected by the FW. Below is the output :

 

ns5200-> set interface vlan1 vlan trunk can't set vlan trunk if there is any user define vlanID set ns5200->  

 

any idea ?

 

thank you in advance :smileywink:

 

rgds

--

 

 

Super Contributor
arizvi
Posts: 287
Registered: ‎10-21-2008
0

Re: NetScreen -- vlan retagging

Vlan can be as the Trunk or the retagger not at the same time.

Can you please confirm that you are trying to use both at the same time ?

 

Thanks

Atif

Visitor
mma3
Posts: 5
Registered: ‎09-01-2009
0

Re: NetScreen -- vlan retagging

Hi,

 

your are right Atif. I am using the FW as a "vlan retagger" but in the other hand I need to configure the remote ports (on my L3SW) as "trunk links" because I need to send multiple vlans on each physical port.

this is why, I have tried to use the command "set interface vlan1 vlan trunk".

 

I don't know if a netscreen device (running in Transparent Mode and acting as a "vlan retagger") can handle multiple vlans on the same physical ports ? If it is possible to do such configurations, could you advise how ?

 

many thanks in advance :smileysad:

 

rgds

--

Super Contributor
arizvi
Posts: 287
Registered: ‎10-21-2008

Re: NetScreen -- vlan retagging

Firewall can be used as the Trunk or the Vlan-retagger  and cannot be used both  at the same time

 

Thanks

Atif

Visitor
mma3
Posts: 5
Registered: ‎09-01-2009
0

Re: NetScreen -- vlan retagging

Thank you (very much) Atif for your help :smileyhappy:

 

situation is clear now

 

Have a nice week-end.

 

rgds

--

Super Contributor
arizvi
Posts: 287
Registered: ‎10-21-2008

Re: NetScreen -- vlan retagging

Good.

 

Thanks

Atif

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

 

Visitor
mma3
Posts: 5
Registered: ‎09-01-2009
0

Re: NetScreen -- vlan retagging

Hi Atif,

 

I am sorry Atif to asking you again... but just to be sure !

I want to avoid any confusion about the term "trunk"...

 

 

ethernet2/1 <---[ns5200] ---> ethernet2/2

 

I have the following :

 - both ports e2/1 & e2/2 are running in Transparent mode (they belongs to 2 differents Layer 2 security zones)

 - I have configured the FW to act as a vlan-retagger between VLAN a (present on e2/1) and VLAN b (present on e2/2)

 

my the question is :

 - Is it true that:

    + If I keep both interfaces running in Transparent mode (ports affected to Layer 2 security zones), then

    + If I add VLAN c (on e2/1)  and VLAN d (on e2/2) --> I can not do vlan-retagging anymore ?

 

Would you like to confirm this assertion ?

 

Many thanks in advance.

 

 rgds

--

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.