O'Reilly logo

ScreenOS Cookbook by Sunil Wadhwa, Joe Kelly, Ken Draper, David Delcourt, Vik Davar, Stefan Brunner

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

5.3. Configure a VLAN Trunk

Problem

You want to put the firewall into a trunk and pass VLAN tagged frames.

Solution

Configure the firewall to ignore the VLAN tag while matching on the IP header on policies:

	set interface vlan1 vlan trunk

Move two interfaces into a Layer 2 (L2) zone, and all other interfaces into the null zone:

	unset interface e0/0 ip
	set interface e0/0 zone v1-trust

	unset interface e0/1 ip
	set interface e0/1 zone v1-untrust

Configure a management address on the virtual vlan1 interface:

	set interface vlan1 ip 192.168.1.100/24
	set route 0.0.0.0/0 interface vlan1 gateway 192.168.1.254

Then, configure a policy:

	set policy from v1-untrust to v1-trust any any http permit

Discussion

A server network should be secured, but addressing cannot be changed on the servers if it is hardcoded into applications. The easiest way to introduce a firewall is to put the firewall into transparent mode and include it between the servers and the next-hop router. However, servers are commonly connected to different VLANs.

In Figure 5-4, a firewall is introduced between the access layer switch and the distribution layer switch. The access layer switch is a Layer 2 device, and the distribution layer switch is usually a multilayer switch; hence, it supports virtual L3 VLAN interfaces. Multiple VLANs are configured for different servers. An 802.1Q trunk connects the access layer switch with the distribution layer switch. This is a typical data center design. The motivation for such a design is that the ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required