For When You Can't Have The Real Thing
[ start | index | login ]
start > Netscreen > 5GT > VLAN Definitions

VLAN Definitions

Created by dave. Last edited by dave, 14 years and 162 days ago. Viewed 9,489 times. #2
[diff] [history] [edit] [rdf]

Defining VLAN interfaces on a Netscreen 5GT

We have an "unlimited" licensed 5GT.

Our requirement is that we will have several different security zones we wish to keep apart. Because the 5GT only has two physical interfaces functionally, we are using VLANs.

The 5GT has a limit of 10 VLANs (although VIDs appear to be valid up to 4095). It also has a limit of 8 user-defined security zones. These values come from the Configuration -> Update -> ScreenOS/Keys page:

Sessions:           4064 sessions
Capacity:           unlimited number of users
VPN tunnels:        25 tunnels
Zones:              8 zones
VLANs:              10 vlans
This is what we did:
  • Define each new security zone, one for each VLAN which will be used: Network -> Zones -> New, fill in Zone Name and leave Layer 3 checked, then click OK:
set zone id 100 "DMZ-Customer1"
set zone id 101 "DMZ-Customer2"
  • Define each VLAN as a new sub-interface on the Trust interface: Network -> Interfaces, select "Sub-IF" in the drop-down next to New, then click New; select a new subinterface number (must be between 1 and 10); select the Zone Name; fill out IP Address/Netmask etc as for any other interface; add a value for the VLAN Tag
set interface "trust.1" tag 201 zone "DMZ-Customer1"
set interface trust.1 ip
set interface trust.1 route

Remember to set your policies.

Now you should be tag up the port on your switch connected to one of the Trust interfaces and it will work.

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful: | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt