ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

NetScreen -- vlan retagging

09.01.09   |  
‎09-01-2009 05:41 AM

Hi All,

I am experiencing some problems to configure a NetScreen 5200 FW (ScreenOS=6.2.0r3a.0) to act as a "vlan-retagger".

I consider only a one-to-one vlan mapping and I do not need to have multiple vsys.

did someone know if there is a documentation that address this issue ?

I have already checked the user guide. unfortunately, exemples (in chapter 3 - depicted in page 71, 72 and 73) seems to be incomplete.

I will appreciate any help ;(

 

many thanks in advance.

 

rgds

--

 

8 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: NetScreen -- vlan retagging

09.01.09   |  
‎09-01-2009 12:18 PM

Vlan retagging only supports in Transparent Mode.

Unfortunately I am unable to find the complete doc with example , but I think it is good to start with that doc.

 

Thanks

Atif

ScreenOS Firewalls (NOT SRX)

Re: NetScreen -- vlan retagging

09.02.09   |  
‎09-02-2009 07:06 AM

Hi,

 

thank you Atif for you presence...

I have fixed "partially" this issue...

 

both FW ports are running in Transparent Mode.

below is a partial view of my lab topology:

 

                                                           +------------+

 towards L3SW (port A)   <-------------|  ns5200  |------------->  towards L3SW (port B)

                                                           +------------+

 

L3SW is my layer 3 switch

 

when configuring the remote ports of my L3SW  as "trunk links" ---> it does not work

when I configure these remote ports in "access mode" ---> it works

 

the thing is that I need to configure these links as "trunk" because I will use mutiple vlans over each physical link

so the question is: how to put local ports (of the FW) in "trunk mode" ?

I already tried the command  "set interface vlan1 vlan trunk ". but it was rejected by the FW. Below is the output :

 

ns5200-> set interface vlan1 vlan trunk can't set vlan trunk if there is any user define vlanID set ns5200->  

 

any idea ?

 

thank you in advance Smiley Wink

 

rgds

--

 

 

ScreenOS Firewalls (NOT SRX)

Re: NetScreen -- vlan retagging

09.02.09   |  
‎09-02-2009 10:29 AM

Vlan can be as the Trunk or the retagger not at the same time.

Can you please confirm that you are trying to use both at the same time ?

 

Thanks

Atif

ScreenOS Firewalls (NOT SRX)

Re: NetScreen -- vlan retagging

09.02.09   |  
‎09-02-2009 10:22 PM

Hi,

 

your are right Atif. I am using the FW as a "vlan retagger" but in the other hand I need to configure the remote ports (on my L3SW) as "trunk links" because I need to send multiple vlans on each physical port.

this is why, I have tried to use the command "set interface vlan1 vlan trunk".

 

I don't know if a netscreen device (running in Transparent Mode and acting as a "vlan retagger") can handle multiple vlans on the same physical ports ? If it is possible to do such configurations, could you advise how ?

 

many thanks in advance Smiley Sad

 

rgds

--

ScreenOS Firewalls (NOT SRX)

Re: NetScreen -- vlan retagging

09.03.09   |  
‎09-03-2009 11:47 AM

Firewall can be used as the Trunk or the Vlan-retagger  and cannot be used both  at the same time

 

Thanks

Atif

ScreenOS Firewalls (NOT SRX)

Re: NetScreen -- vlan retagging

09.03.09   |  
‎09-03-2009 01:26 PM

Thank you (very much) Atif for your help Smiley Happy

 

situation is clear now

 

Have a nice week-end.

 

rgds

--

ScreenOS Firewalls (NOT SRX)

Re: NetScreen -- vlan retagging

09.03.09   |  
‎09-03-2009 01:30 PM

Good.

 

Thanks

Atif

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

 

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: NetScreen -- vlan retagging

09.04.09   |  
‎09-04-2009 01:21 AM

Hi Atif,

 

I am sorry Atif to asking you again... but just to be sure !

I want to avoid any confusion about the term "trunk"...

 

 

ethernet2/1 <---[ns5200] ---> ethernet2/2

 

I have the following :

 - both ports e2/1 & e2/2 are running in Transparent mode (they belongs to 2 differents Layer 2 security zones)

 - I have configured the FW to act as a vlan-retagger between VLAN a (present on e2/1) and VLAN b (present on e2/2)

 

my the question is :

 - Is it true that:

    + If I keep both interfaces running in Transparent mode (ports affected to Layer 2 security zones), then

    + If I add VLAN c (on e2/1)  and VLAN d (on e2/2) --> I can not do vlan-retagging anymore ?

 

Would you like to confirm this assertion ?

 

Many thanks in advance.

 

 rgds

--