Converting L2V to VLAN Trunking (NSM Procedure)

When the VLAN interface is set to Trunk mode, the root system operates in VLAN trunk mode and L2V is disabled for the device. While in VLAN Trunk mode, all L2V functionality is unsupported: You cannot import VLAN IDs to vsys devices or VLAN groups to root or vsys.

To change a neutral root system to VLAN Trunk mode, in the device navigation tree, select Network > Interfaces, and then double-click the vlan1 interface. In the General Properties interface screen, select Vlan Trunk. To disable VLAN Trunk mode, clear the Vlan Trunk option (the device returns to neutral).

To change an L2V root device to VLAN Trunk mode, you must first delete VLAN IDs that were imported to vsys devices and VLAN groups in the root and vsys devices.

Note: To confirm that the device is in neutral mode, ensure that the root system does not contain a VLAN group, no VLAN IDs have been exported to a vsys device, vlan1 exists in the root system only, and that the VLAN trunk mode is disabled.

In this example, you configure a NetScreen-5200 security device in L2V mode and the vsys “ music.” The music vsys shares the music-untrust zone with the root system. You must import the VLANs to a vsys before they can be tagged. Figure 4 describes the single port L2V configuration.

Figure 4: Example Single Port L2V Configuration

Example Single Port L2V Configuration
  1. Add a NetScreen 5000 line of security device in Transparent mode running ScreenOS 5.0 L2V as the root system, and then configure the network module:
    • Double-click the device to open the device configuration. In the device navigation tree, select Network > Slot.
    • Double-click slot 2 to display the slot configuration dialog box. For Card Type, select 5000-8G SPM.
    • Click OK to save the slot configuration.
    • Create the vsys music. In the Device Manager, select Security Devices, and then double-click the vsys music to open the vsys configuration.
  2. Create two custom Layer 2 zones on the vsys music:
    • In the vsys configuration tree, select Network > Zones. Click the Add icon and select Security Zone. Configure the zone name as music-trust, and then click OK.
    • In the vsys configuration tree, select Network > Zones. Click the Add icon and select Security Zone. Configure the zone name as music-untrust, and then click OK.
  3. Import VLAN IDs from the root system to the vsys music:
    • In the vsys navigation tree, select Network > Vlan > Import.
    • Click the Add icon to display the New VLAN Import Entry. Configure the following settings, and then click OK:
    • For Vlan ID Begin, enter 100.
    • For Vlan ID End, enter 199.
    • For Comments, enter music vlans.
    • Create a VLAN group on the vsys music. In the vsys navigation tree, select Network > Vlan > Group, and then click the Add icon to display the New VLAN Group Entry. Configure the following setting:
    • For Vlan Group Name, enter it_music.
  4. In the Setting Vlan Group area, click the Add icon to display the New Vlan Group Range. Configure the following settings, and then click OK:
    • For Start Vlan ID, enter 100.
    • For End Vlan ID, enter 199.
  5. In the Binding Vlan Group to Port and Zone area, click the Add icon to display the New Vlan Group Port Settings. Configure the following settings, and then click OK.
    • For Interface, select ethernet2/5.
    • For Zone, select music-trust.
  6. In the Binding Vlan Group to Port and Zone area, click the Add icon to display the New Vlan Group Port Settings. Configure the following settings, and then click OK.
    • For Interface, select ethernet2/1.
    • For Zone, select music-untrust.
    • Create management interface for vsys music:
    • In the vsys navigation tree, select Network > Interfaces, and then click the Add icon and select VLAN Interface.
  7. Configure the following General Properties:
    • For Name, enter 199 (name appears as vlan199).
    • For Zone, select vlan.
    • For IP Address/Netmask, enter 1.0.1.199/24.
    • Clear the Manageable check box.
    • In the interface navigation tree, select Service Options. Select Telnet, Ping, and Web, and then click OK:
  8. Configure zone firewall rules in a security policy for vsys music. First, create a rule that permits HTTP traffic from music-untrust to music trust:
    • For From zone, select music-untrust.
    • For Source Address, select any.
    • For To zone, select music-trust.
    • For Destination Address, select any.
    • For Service, select HTTP.
    • For Action, select Permit.
    • For Install On, right-click and select Select Target. In the Select Target Devices list, select vsys music, and then click OK.
  9. Create a rule that denies all traffic from music-untrust to music trust:
    • For From zone, select music-untrust.
    • For Source Address, select any.
    • For To zone, select music-trust.
    • For Destination Address, select any.
    • For Service, select any.
    • For Action, select deny.
    • For Install On, right-click and select Select Target. In the Select Target Devices list, select vsys music, and then click OK.
  10. Create a rule that permits all traffic from music-trust to music untrust:
    • For From zone, select music-trust.
    • For Source Address, select any.
    • For To zone, select music-untrust.
    • For Destination Address, select any.
    • For Service, select any.
    • For Action, select Permit.
    • For Install On, right-click and select Select Target. In the Select Target Devices list, select vsys music, and then click OK.
  11. From the menu bar, select File > Assign Policy. In the Assign Policy to Devices list, select vsys music, and then click OK.

Related Documentation