Hi,

You cannot pass the vlan tags across your firewall.

The purpose of the 802.1q support is to allow the firewall to connect to multiple subnets over 1 physical connection. After that it's Layer 3 only through the firewall policy.

Gavrilo

What is the recommended approach then, if I have more vlans than there are interface to output?

thanks,

touruni

You can connect a single port on the firewall to a trunk port on the switch and pass both vlans across the connection.  In this scenario the firewall port does not have any ip information or zone.  You create sub-interfaces to have a tagged trunk port on the firewall and then create matching vlans on the connected switch port.

Note that vlan1 is reserved for the device management only and cannot be used as a processed vlan.

The notes below assume SceeenOS version 6.  I'm not sure if the syntax or functions are different in version 5.4 software.

For example if the interface is ethernet0/1

Prepare the connecting interface by removing any existing zone and ip address.

unset int ethernet0/1 ip
unset int ethernet0/1 zone

create your two vlan zones
set zone name vlan10
set zone name vlan20

create the sub-interfaces for your trunk port
set interface ethernet0/1.1 tag 10 zone vlan10
set interface ethernet0/1.2 tag 20 zone vlan20
set interface ethernet0/1.1 ip 10.0.10.1/24
set interface ethernet0/1.2 ip 10.0.20.1/24

Reference

Concepts and examples guide Volume 10 Virtual systems

http://www.juniper.net/techpubs/software/screenos/screenos6.2.0/index.html

Chapter 3

Defining Sub-interfaces and vlan tags

spuluka,

Thanks! I'll look into that!

touruni