Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

VLAN Retagging on ISG and ns5000 devices

0

0

Article ID: KB15555 KB Last Updated: 06 Jun 2013Version: 4.0
Summary:
VLAN retagging provides a way to selectively screen VLAN traffic. You place a security device in parallel with your Layer 2 switch (see Figure) and configure the switch to direct to the security device only traffic from VLANs you want screened. Traffic to and from your other VLANs continues to pass directly through the switch, thus avoiding any impact to throughput that might be caused by passing all VLAN traffic through the security device.

NOTE: Beginning with ScreenOS 6.2, VLAN retagging is supported on ISG platforms.
The source interface should be part of the VLAN to which it will get retagged. So in our case the eth2/1 will be part of vlan 20. This configuration is bidirectional.
Symptoms:
Vlan retagging configuration on ScreenOS
Cause:

Solution:
For the configuration to work you need to configure as per the diagram attached. Configuration to retag from VLAN 10 to VLAN 20.


Config:

V1-Untrust => eth2/2 => VLAN 10
V1-Trust => eth2/1 => VLAN 20

Configuration on the firewall will be as below. You need to trunk all the ports to that particular VLAN on the switch connecting to the firewall.
set vlan group name vlan-20
set vlan group vlan-20 20 20
set vlan port ethernet2/1 group vlan-20 zone V1-Trust
set vlan port ethernet2/2 group vlan-20 zone V1-Untrust
set vlan retag name map-10-20 10 20
set vlan port ethernet2/2 retag map-10-20

set policy from v1-trust to v1-untrust any any any permit

set policy from v1-untrust to v1-trust any any any permit

Below are the commands to verify the configuration:
CORE-TAG-> get vlan group 
vlan group info:
------------------------------------------------------------------------------
name(vsys) : vlan1(Root)
*          : predefined group
vids       : [0-1]
port       : ethernet2/1 ethernet2/2
vsd        : 0

name(vsys) : vlan-20(Root)
vids       : [20]
port       : ethernet2/1 ethernet2/2
vsd        : 0


CORE-Firewall-> get vlan retag
vlan retagging info:
------------------------------------------------------------------------------
Retagging-pair-name                  from   to     interface
map-10-20      (Root           )     10     20       ethernet2/1


CORE-TAG-> get vlan all  
vsys-name                       : imported vlan ID range  
------------------------------------------------------------------------------  
Root                            : [0-1,10,20]  

interface name                    (vid-range) vsys  zone  ifp  
------------------------------------------------------------------------------  
ethernet2/1                       (   0-   1) Root  V1-Null  l2v
                                  (  20-  20) Root  V1-Trust  v1-trust  
ethernet2/2                       (   0-   1) Root  V1-Null  l2v
                                  (  20-  20) Root  V1-Untrust  v1-untrust   

vlan group info:  
------------------------------------------------------------------------------  
name(vsys) : vlan1(Root)  
*          : predefined group  
vids       : [0-1]  
port       : ethernet2/1 ethernet2/2  
vsd        : 0    

name(vsys) : vlan-20(Root)  
vids       : [20]  
port       : ethernet2/1 ethernet2/2  
vsd        : 0  

NOTES:
  • Please disable STP on all the trunk interfaces.
  • The VLAN group for retagging should always be the destination VLAN.  For example, for the vlan retag from 10 to 20, the vlan group configured should be for vlan 20 as above. This is bidirectional.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search