Defining VLAN interfaces on a Netscreen 5GT
We have an "unlimited" licensed 5GT.
Our requirement is that we will have several different security zones we wish to keep apart. Because the 5GT only has two physical interfaces functionally, we are using VLANs.
The 5GT has a limit of 10 VLANs (although VIDs appear to be valid up to 4095). It also has a limit of 8 user-defined security zones. These values come from the Configuration -> Update -> ScreenOS/Keys page:
Sessions: 4064 sessions
Capacity: unlimited number of users
VPN tunnels: 25 tunnels
Zones: 8 zones
VLANs: 10 vlans
This is what we did:
- Define each new security zone, one for each VLAN which will be used: Network -> Zones -> New, fill in Zone Name and leave Layer 3 checked, then click OK:
set zone id 100 "DMZ-Customer1"
set zone id 101 "DMZ-Customer2"
- Define each VLAN as a new sub-interface on the Trust interface: Network -> Interfaces, select "Sub-IF" in the drop-down next to New, then click New; select a new subinterface number (must be between 1 and 10); select the Zone Name; fill out IP Address/Netmask etc as for any other interface; add a value for the VLAN Tag
set interface "trust.1" tag 201 zone "DMZ-Customer1"
set interface trust.1 ip 10.126.201.1/24
set interface trust.1 route
Remember to set your policies.
Now you should be tag up the port on your switch connected to one of the Trust interfaces and it will work.