Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Routing Traffic to Vsys Using VLAN IDs (NSM Procedure)

    To enable the physical device to correctly route traffic to the appropriate vsys device, you must use VLAN IDs (VIDs) at the vsys level or IP classification at the root level.

    When using VIDs for routing traffic to vsys, you create dedicated vsys subinterfaces with a VID; all traffic handled by a subinterface includes the subinterface’s VID in the frame header. The root system uses the VID to correctly route traffic to and from the subinterface.

    Note: A VLAN identifier is also known as a VLAN tag.

    A subinterface stems from a physical interface, which acts as a trunk port. A trunk port enables a Layer 2 network device to bundle traffic from several VLANs through a single physical port, sorting the various packets by the VID in their frame headers. VLAN trunking enables one physical interface to support multiple logical subinterfaces, each of which must be identified by a unique VID. The VID on an incoming Ethernet frame indicates the destination subinterface and system. When you associate a VLAN with an interface or subinterface, the device automatically defines the physical port as a trunk port.

    Using VLANs in Transparent Mode

    When the root device is in Transparent mode, you cannot use VLAN tagging at the vsys level (except when using L2V; for details, see Unresolved xref). However, you can configure subinterfaces and VLAN tagging at the root level by defining all physical ports as trunk ports. To do so, in the device navigation tree, select Network > Interfaces, and then double-click the VLAN-1 interface. In the General Properties interface screen, select Vlan Trunk.

    Note: The NetScreen 5000 line of security devices running ScreenOS 5.0 L2V supports vsys transparent mode, also known as Layer 2 vsys, or L2V vsys.

    In this example, you define three subinterfaces (10.1.1.1/24, 10.2.2.1/24, and 1.3.3.1/24) with VLAN tags on ethernet 2.3 for the three virtual systems vsys1, vsys2, and vsys3. The first two subinterfaces are for two private virtual systems operating in NAT mode, and the third subinterface is for a public virtual system operating in Route mode. All virtual systems share the untrust zone and its interface with the root system. The untrust zone is in the untrust-vr routing domain. For vsys1 and vsys2, you use the default virtual router. For vsys3, you choose the sharable root-level untrust-vr.

    1. Add a NetScreen 5000 line of security device running ScreenOS 5.2 as the root system, and then configure the network module:
      • Double-click the device to open the device configuration. In the device navigation tree, select Network > Slot.
      • Double-click slot 2 to display the slot configuration dialog box. For Card Type, select 5000-8G SPM.
      • Click OK to save the slot configuration.
    2. Add three vsys devices:
      • Vsys1 and Vsys 2 use the default virtual router.
      • Vsys3 uses the existing untrust-vr virtual router.
      • Create a subinterface for vsys1
    3. In the NSM navigation tree, select Device Manager > Devices, and then double-click vsys1.
    4. In the device navigation tree, select Network > Interfaces. Click the Add icon and select Sub Interface.
    5. In the subinterface general properties, configure the following settings, and then click OK:
      • For Interface, select ethernet2/3.1.
      • For Sub Interface Type, select tag.
      • For VLAN tag, select 1.
      • For Zone, select trust-vsys1.
      • For IP Address and Netmask, enter 10.1.1.1/24.
    6. Create subinterface for vsys2:
      • In the NSM navigation tree, select Device Manager > Devices, and then double-click vsys2.
      • In the device navigation tree, select Network > Interfaces. Click the Add icon and select Sub Interface.
    7. In the subinterface general properties, configure the following settings, and then click OK:
      • For Interface, select ethernet2/3.2.
      • For Sub Interface Type, select tag.
      • For VLAN tag, select 2.
      • For Zone, select trust-vsys2.
      • For IP Address and Netmask, enter 10.2.2.1/24.
    8. Create subinterface for vsys3:
      • In the NSM navigation tree, select Device Manager > Devices, and then double-click vsys3.
      • In the device navigation tree, select Network > Interfaces. Click the Add icon and select Sub Interface.
      • In the subinterface general properties, configure the following settings, and then click OK:
      • For Interface, select ethernet2/3.3.
      • For Sub Interface Type, select tag.
      • For VLAN tag, select 3.
      • For Zone, select trust-vsys3.
      • For IP Address and Netmask, enter 1.3.3.1/24.
      • For Mode, select Route.

    Published: 2013-01-02