Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Example: Configuring a Subinterface (NSM Procedure)

 

A subinterface, like a physical interface, is a doorway through which traffic enters and exits a security zone. You can logically divide a physical interface into several virtual subinterfaces, each of which borrows the bandwidth it needs from the physical interface. Subinterfaces use names that indicate their physical interface, such as ethernet3/2.1 or ethernet2.1.

You can create three types of subinterfaces:

  • None (for ScreenOS 5.0 devices only)—The subinterface does not use VLAN tagging.

  • Tagged interface (VLAN)—Using VLAN tagging, the subinterface distinguishes between traffic bound for it from traffic bound for other interfaces. For details on configuring VLAN tagging, see Example: Routing Traffic to Vsys Using VLAN IDs (NSM Procedure).

  • Encapsulated (for ScreenOS 5.1 and later devices only)—Using encapsulation, you can create a PPPoE subinterface that does not use VLAN tagging. PPPoE subinterfaces enable the device to handle multiple PPPoE sessions over one physical interface.

    Note

    The number of PPPoE sessions per physical interface is determined by the security device platform. For information about configuring multiple PPPoE instances on one interface, see About Configuring PPPoE.

You can create a subinterface on any physical interface in the root system or virtual system, and you can bind a subinterface to the same zone as its physical interface or to a different zone. However, the IP address of a subinterface must be in a different subnet from the IP addresses of all other physical interfaces and subinterfaces.

In this example, you create a subinterface for the Trust zone in the root system. You configure the subinterface on ethernet1, which is bound to the Trust zone. You bind the subinterface to a user-defined zone named “ accounting,” which is in the trust-vr. You assign it subinterface ID 3, IP address 10.2.1.1/24, and VLAN tag ID 3. The interface mode is NAT.

To configure a subinterface:

  1. Add a device.

  2. Configure a new zone:

    • Double-click the device icon to open the device configuration. In the device navigation tree, select Network > Zone.

    • Click the Add icon and select Security Zone. The General Properties Screen appears.

  3. Configure the following options, and then click OK:

    • For Name, enter accounting.

    • For Virtual Router, select trust-vr.

  4. Configure the subinterface:

    • In the device navigation tree, select Network > Interface.

    • Click the Add icon and select Sub Interface. The General Properties screen appears.

  5. Configure the following options, and then click OK:

    • For Name, select ethernet1, and then select 3.

    • For VLAN tag, enter 3.

    • For Zone, select accounting.

    • For IP Address/Netmask, enter 10.2.1.1/24.

    • Ensure that Manageability is enabled.

    • Ensure that the Management IP is 10.2.1.1.

    • For Interface Mode, select NAT.

  6. Click OK to save your changes to the device.