Assigning L2V Vlan Ids (Nsm Procedure) - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Related
Documentation

Assigning L2V VLAN IDs (NSM Procedure)

Copyright © 2010, Juniper Networks, Inc.
header, applies the security policy for the vsys to the packets, and then sends permitted
packets through the device without packet modification.
When you first add a NetScreen 5000 line of security device running ScreenOS 5.0-L2V
to NSM, the device is in neutral mode, meaning that neither L2V or VLAN trunk mode is
configured on the device. To confirm that the device is neutral mode, ensure that the
root system does not contain a VLAN group, no VLAN IDs have been exported to a vsys
device, vlan1 exists in the root system only, and that the VLAN trunk mode is disabled.
To enable L2V on a neutral root system, you must:
Import VLAN IDs from the root system to vsys.
1.
Create a VLAN group (in the root system or vsys) and assign that group to a physical
2.
port and zone.
When L2V is enabled, you cannot configure VLAN trunk mode (option is disabled). For
information about how to change an L2V root system to VLAN trunk mode, see "Converting
L2V to VLAN Trunking (NSM Procedure)" on page 262.
Assigning L2V VLAN IDs (NSM Procedure) on page 259
L2V VLAN Groups in NSM Overview on page 260
Example: Routing Traffic to Vsys Using IP Classification (NSM Procedure) on page 256
You must use VLAN tags for vsys devices in Transparent mode. The device classifies
traffic to or from the vsys based on the VLAN tag. A root device running ScreenOS 5.0-L2V
supports a maximum of 4094 VLANs. You can assign each vsys 2 to 4094 VLANS,
however, after a VLAN is assigned to one vsys it cannot be used in another. The root
system reserves vlan 1, vlan0, and vlan4095.
By default, all VLAN IDS belong to the root system. To configure VLAN IDs for each vsys,
you must import the VLAN IDs from the root system to a vsys:
In the NSM navigation tree, select Device Manager >Security Devices, and then
1.
double-click a vsys device.
In the vsys device navigation tree, select Network > Vlan > Import.
2.
Click the Add icon to display the New Vlan Import Entry dialog box, and then enter
3.
the range of VLAN IDs you want to import from the root system to the vsys.
Click OK. NSM imports the VLAN IDs within the specified range from the root system;
4.
these IDs are now reserved and cannot be used by the root system or other vsys.
To export VLAN IDs to the root system, you must delete the VLAN IDs from the vsys
(select the VLAN import entry and then click the Delete icon). When you delete an ID
range, NSM no longer reserves those IDs, enabling you to import the IDs to another vsys.
After you have imported VLAN IDs to a vsys, you can group those IDs and assign them
to a physical port and zone.
Chapter 8: Configuring VPNs
259