ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

Multiple VLAN's at one Interface/Zone

04.09.09   |  
‎04-09-2009 02:40 AM

Hey there,

 

I'm new to ISG-Firewalls and need some help now. We have the ISG2000 with follwing Interfaces configured: 1/2 (zone LAN) and 2/1 (zone company-x). The network of company-x ist seperated into 4 VLAN's which should come over with a trunk. we have to set up each VLAN with an own policy for the access to our LAN-zone.

 

is that possible in some way? how can i build a trunk through the ISG on that interface and how can I set up each vlan which terminates on one single interface with own policies? means, how can i created more detailed policies, not only from zone to zone, we need access with different policies for each VLAN in another zone.

 

any help appreciated!

 

best regards

4 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: Multiple VLAN's at one Interface/Zone

04.09.09   |  
‎04-09-2009 03:10 AM
Hi, you create subinterfaces on the customer side with VLAN tagging. The suberterface can be in zones independent from the physical interface. So for each VLAN you create a subint, in the right zone. This way you configure a trunc with sepperated policies.
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
ScreenOS Firewalls (NOT SRX)

Re: Multiple VLAN's at one Interface/Zone

[ Edited ]
04.09.09   |  
‎04-09-2009 03:32 AM

Thanks for your answer!

 

That means I've to create four subinterfaces on the company-x zone on my ISG. First of all I need to check if the firewall on the other side (which is not under my control) is able to tag the vlans.

 

When creating policies, I only see options to configure "from zone X to zone Y", but how can I configure the single VLAN's at this point and give them their own policy? Can I choose the subinterface under "Adressbook entry" then?

 

BR

Message Edited by rdit on 04-09-2009 03:33 AM
Message Edited by rdit on 04-09-2009 03:34 AM
Message Edited by rdit on 04-09-2009 03:35 AM
ScreenOS Firewalls (NOT SRX)

Re: Multiple VLAN's at one Interface/Zone

04.09.09   |  
‎04-09-2009 03:52 AM
No actualy for a good split you create four user defined zones and create the subint in this. Then you use this zones in your policies. If you want source natting you have to this in the policy, only trust to untrust has default source natting. Cleck on advanced settings in policy and select source nat "hide behind egress interface" for this.
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
ScreenOS Firewalls (NOT SRX)

Re: Multiple VLAN's at one Interface/Zone

04.09.09   |  
‎04-09-2009 04:07 AM

great, thanks a lot for your help!

 

i'll try to do this as you advised!