ScreenOS Firewalls (NOT SRX)
Reply
Regular Visitor
JamesG
Posts: 6
Registered: ‎08-21-2008
0

multiple vlans single interface (screenos v 6.1)

ScreenOS V 6.1

ISG 1000 

 

How do you create multiple vlans (subinterfaces) on trust side (screenos v 6.1)? What if you want to create a trunk interface along with multiple subinterfaces.

 

like in Cisco we do..

 

Interface f2/0


Interface f2/0.1
encapsulation dot1q 100
ip address 10.10.1.0 255.255.255.248

 

Interface f2/0.1
encapsulation dot1q 100
ip address 10.10.2.0 255.255.255.248

 

What if you want to create same multiple interfaces along with inter-vlan routing on netscreen screenos version 6.1. 

 

Recognized Expert
traceoptions
Posts: 152
Registered: ‎04-29-2008
0

Re: multiple vlans single interface (screenos v 6.1)

[ Edited ]

I have an SSG550 with subinterfaces on them for Vlan isolation.

 

 

For your config it would be the following.

 

set interface "ethernet0/1" zone "Trust"

set interface "ethernet0/1.1" tag 100 zone "trust"

set interface "ethernet0/1.1" ip 10.10.1.1/29

set interface "ethernet0/1.1 route

set interface "ethernet0/1.2 tag 101 zone "trust"

set interface "ethernet0/1.2 ip 10.10.2.1/29

set interface "ethernet0/1.2 route

save

 

The e0/1 interface itself can be addressed without a tag, and it would be treated as a native vlan in the Cisco world.  If you want to use tagged interfaces all the way through you can as well and leave the trunk bundled.

 

The only other possible gotcha is if intrazone blocking is turned on with your trust zone.  You can check this by typing 

 

get zone trust
Zone name: Trust, id: 2, type: Security(L3), vsys: Root, vrouter:trust-vr
Intra-zone block: on, attrib: Non-shared, flag:0x6208
 

The second line states that Intrazone blocking is on.  So as traffic passes from interfaces within the trust zone, a policy must be applied to allow traffic.  You either need to create a policy, or disable intrazone blocking for the trust zone.

 

unset zone trust block

save

 

 Hope this helps

 

Message Edited by shadow on 09-03-2008 07:36 PM
JNCIE-ENT #424 JNCIP-SEC, JNCI @traceoptions

**If this worked for you please flag my post as an Accepted Solution so others can benefit.**
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.