Layer 2 Vsys Configuration Overview

A NetScreen 5000 line of security device running ScreenOS 5.0-L2V supports virtual systems in Transparent mode (the device functions similar to a Layer 2 switch or bridge). The device groups packets to or from a unique vsys based on the VLAN tag in the packet header, applies the security policy for the vsys to the packets, and then sends permitted packets through the device without packet modification.

When you first add a NetScreen 5000 line of security device running ScreenOS 5.0-L2V to NSM, the device is in neutral mode, meaning that neither L2V or VLAN trunk mode is configured on the device. To confirm that the device is neutral mode, ensure that the root system does not contain a VLAN group, no VLAN IDs have been exported to a vsys device, vlan1 exists in the root system only, and that the VLAN trunk mode is disabled.

To enable L2V on a neutral root system, you must:

  1. Import VLAN IDs from the root system to vsys.
  2. Create a VLAN group (in the root system or vsys) and assign that group to a physical port and zone.

When L2V is enabled, you cannot configure VLAN trunk mode (option is disabled). For information about how to change an L2V root system to VLAN trunk mode, see Converting L2V to VLAN Trunking (NSM Procedure).

Related Documentation