Screen OS

Hello all,

Currently one of our firewalls is configured to have an active interface in a bgroup0. I need to assign VLANs to this interface using a sub interface. It appears that this is not possible when the interface is assigned in a bridge group.

It is a bit unclear why the interface is in the bridge group. Is this maybe something that is there by default? The problem is that I need to be sure that the bgroup is not required for some functionality and secondly how can I migrate this out of the brigde group with the least amount of downtime.

Thanks

Several ScreenOS F/W's come with a default configuration that includes bgroup0. Just remove the specific interface(s) you want from the bgroup - done under the "bind port" tab of the I/F config. Totally fine to do so. No downtime required.

Ass mutt said, this started to be the default configuration on the smaller units such as the SSG5.  Simply remove the interface you would like to use from the bgroup and it is fully configurable by itself.  No loss in functionality or downtime.

Well, it was easy, but there was downtime. When you remove the interface from the bgroup the network settings are saved to the bgroup and not the interface. This means that from the moment you remove the interface, it becomes unavailable. At that moment you need to set the zone for the bgroup to NULL and the interface IP to 0.0.0.0 to free up the IP. When this is done you need to set the configuration back to the interface port that you removed from the bgroup. The policies and other objects do stay without any changes. Still for someone that wants to do this, be aware the the interface will be unavailable during the configuration phase (2-3 minutes).

The bgroup indeed did not provided any added value for what I needed. Thanks.

For your info. Case closed 🙂