Netscreen 25 in transparent mode + VLAN tagging



  • Hello,

    I have a bit of a complex and wonky setup that I need to know if it is possible, and if it is, will need some help to configure. The unit is a netscreen 25 with the “Advanced” firmware. Basically  I need the traffic to come in the WAN interface which is in layer2 mode and bound to the V1-Untrust Zone, the traffic is filtered, then tagged with appropriate VLAN tags and sent out the Trust interface. The VLAN tagging and default gateways should happen/reside on the netscreen. I tried doing this with sub-interfaces but couldn’t create a policy that mixed layer2 and layer3 zones. Here is what I have:

    upstream
          !
    core switch
          !
    edge switches
          !
    servers

    I would like to have:

    upstream
        !
    core switch
        !
    netscreen 25 - filtering and VLAN tagging
        !
    back to core switch
          !
    edge switches

    I cannot have the upstream router plugged into the netscreen due to some other reasons. Can anyone recommend anything?

    ~Rodre



  • Here is a basic configration on how to set the zones and interfaces up, you would still need policies and management and such

    set vrouter trust-vr sharable
    unset vrouter “trust-vr” auto-route-export
    set zone id 101 "Trust 1"
    set zone id 102 "Trust 2"
    set zone id 103 “Trust 3”

    set interface “ethernet1” zone "Untrust"
    set interface “ethernet2” zone "Trust 1"
    set interface “ethernet3” zone "Trust 2"
    set interface “ethernet4” zone “Trust 3”

    set interface ethernet1 ip 64.0.24.1/30
    set interface ethernet1 route
    set interface ethernet1 gateway 64.0.24.2
    set interface ethernet2 ip 90.1.1.1/24
    set interface ethernet2 route
    set interface ethernet3 ip 90.1.2.1/24
    set interface ethernet3 route
    set interface ethernet4 ip 90.1.3.1/24
    set interface ethernet4 route

    Greg



  • Why not have the Netscreen 25 in Route mode, and set up the 1 interface as the untrust and set up the other 3 interfaces as the 3 zones you want?  On the switch just create 3 vlans, and create 3 zones on the firewall and plug Ethe2 into vlan 10, Ethe3 into VLAN 20, ethe4 into vlan 40.  So in the configuration of the netscreen 25

    Ethe1 untrust 64.0.24.1
    Ethe2 Trust 1 90.1.1.1/24 (Vlan10)
    Ethe3 Trust 2 90.1.2.1/24 (Vlan20)
    Ethe4 Trust 3 90.1.3.1/24 (Vlan30)

    You could do the same thing with 2 interfaces and make a trunk on Ethe2 if you wanted.

    Greg



  • Hi,

    Thanks for your prompt response. Assuming that I setup the gateways and VLAN tagging on the swtich how can I get the switch to forward the packets to the netscreens WAN interface for filtering, then get the Netscreen to dump the filtered packets back onto the swtich for vlan tagging? The core switch is a layer 3 switch which is operating a small router. I want to filter packets for subnets (example) 90.1.1.0/24, 90.1.2.0/24, and 90.1.3.0/24. The upsteam router is sending traffic for these subnets to 64.0.24.1 (example), which is the small router operating in the core switch. I want the netscreen to pick up traffic destined for the above 3 subnets, filter it and dump it back on the switch. Any thoughts on how I might accomplish this?

    ~Rodre



  • This is not possible in transparent mode. the NetScreen can pass any vlan tag info but cannot generate the tag as you already found out. Also you cannot mix transparent mode and nat/route mode on the same box. You will need to add the vlan tagging at the switch.


 

33
Online

38.4k
Users

12.7k
Topics

44.5k
Posts