Example: Routing Traffic To Vsys Using Vlan Ids (Nsm Procedure) - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide
Related
Documentation

Example: Routing Traffic to Vsys Using VLAN IDs (NSM Procedure)

254
that the root admin creates is automatically assigned to a shared DMZ virtual router
(VR). The root admin also determines to which shared DMZ zone a particular vsys should
be subscribed. A shared DMZ zone is shared only with the virtual systems that are
subscribed to it. However, each vsys can be subscribed to only one shared DMZ zone. A
shared DMZ zone works only on a security device running in NAT/route mode and cannot
be bound to any interface other than the loopback interface. However, the default
interface for the shared DMZ zone is null.
Viewing Root and Vsys Configurations on page 253
Example: Routing Traffic to Vsys Using VLAN IDs (NSM Procedure) on page 254
Example: Routing Traffic to Vsys Using IP Classification (NSM Procedure) on page 256
To enable the physical device to correctly route traffic to the appropriate vsys device,
you must use VLAN IDs (VIDs) at the vsys level or IP classification at the root level.
When using VIDs for routing traffic to vsys, you create dedicated vsys subinterfaces with
a VID; all traffic handled by a subinterface includes the subinterface's VID in the frame
header. The root system uses the VID to correctly route traffic to and from the
subinterface.
NOTE: A VLAN identifier is also known as a VLAN tag.
A subinterface stems from a physical interface, which acts as a trunk port. A trunk port
enables a Layer 2 network device to bundle traffic from several VLANs through a single
physical port, sorting the various packets by the VID in their frame headers. VLAN trunking
enables one physical interface to support multiple logical subinterfaces, each of which
must be identified by a unique VID. The VID on an incoming Ethernet frame indicates the
destination subinterface and system. When you associate a VLAN with an interface or
subinterface, the device automatically defines the physical port as a trunk port.
Using VLANs in Transparent Mode
When the root device is in Transparent mode, you cannot use VLAN tagging at the vsys
level (except when using L2V; for details, see "Layer 2 Vsys Configuration Overview" on
page 258). However, you can configure subinterfaces and VLAN tagging at the root level
by defining all physical ports as trunk ports. To do so, in the device navigation tree, select
Network > Interfaces, and then double-click the VLAN-1 interface. In the General
Properties interface screen, select Vlan Trunk.
NOTE: The NetScreen 5000 line of security devices running ScreenOS 5.0
L2V supports vsys transparent mode, also known as Layer 2 vsys, or L2V vsys.
In this example, you define three subinterfaces (10.1.1.1/24, 10.2.2.1/24, and 1.3.3.1/24)
with VLAN tags on ethernet 2.3 for the three virtual systems vsys1, vsys2, and vsys3. The
Copyright © 2010, Juniper Networks, Inc.