Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

L2V Interface Management in NSM Overview


In the root system, you can bind any interface to an L2 zone. If the zone is shared with vsys, the interface also becomes shared with vsys. You cannot import or export interfaces between root and vsys, and you cannot assign an IP address to an interface (except the VLAN management interfaces).

In the root system, you can create VLAN management interfaces and aggregate interfaces. At the vsys level, you can only create VLAN management interfaces. The topic includes the following:

Configuring L2V VLAN Management Interfaces

The root system contains a predefined VLAN management interface (vlan1) that is bound to the VLAN zone. You can configure this interface as you would a normal security interface, for example, assign the interface an IP address, configure DHCP, or configure monitoring.

For each vsys that you want to manage, you must create the VLAN management interface on the vsys, and then bind the interface to the VLAN zone. Because each VLAN interface uses a VLAN ID, you must have previously imported VLAN IDs from a root system before creating the VLAN interface on a vsys device. For example, before you create vlan.3 management interface on a vsys, you must import the VLAN ID 3 from the root system.

For both root and vsys, the VLAN interface name is the VLAN ID for the interface. To add multiple management interfaces, bind each interface to the VLAN zone and assign each interface a unique vlan name (vlan1, vlan2, vlan3, and so on; acceptable range is 2-4094 only in Transparent mode). When assigning IP address to each interface, ensure that the IP subnets for all interfaces do not overlap.

Configuring L2V Aggregate Interfaces

You can create aggregate interfaces in the root system to increase available bandwidth. An aggregate interface must be bound to an L2 zone (cannot be bound to the VLAN zone) and can be shared with vsys. Although you can manage this interface, you cannot assign an IP address. Additionally, if you bind a regular interface to an L2 aggregate interface, you cannot select the zone for the regular interface. You cannot create aggregate interfaces at the vsys level.

The 8G Secure Port Module (SPM) supports two ASICs; ports ethernet2/1 through ethernet2/4 use one ASIC, and ports ethernet2/5 through ethernet2/8 use the other. You must configure aggregate interfaces in pairs, starting with port ethernet2/1.

Table 1: L2V Aggregate Interfaces

Aggregate Interface



ethernet2/1 and ethernet2/2


ethernet2/3 and ethernet2/4


ethernet2/5 and ethernet2/6


ethernet2/7 and ethernet2/8

The 8G2 Secure Port Module (SPM) supports a maximum of two 4-port aggregate interfaces, four trusted and four untrusted. Assigning the VLANs to an aggregate interface provides a traffic bandwidth of 2 Gbps in each direction, with a maximum of 4 Gbps for bidirectional traffic per Application-Specific Integrated Circuit (ASIC). You must configure aggregate interfaces in pairs, starting with port ethernet2/1, as shown in Table 2.

Table 2: 8G2 SPM and the 5000M2 Management Module




ethernet2/1, ethernet2/2, ethernet2/3, and ethernet2/4


ethernet2/5, ethernet2/6, ethernet2/7, and ethernet2/8