You want to put the firewall into a trunk and pass VLAN tagged frames.
Configure the firewall to ignore the VLAN tag while matching on the IP header on policies:
set interface vlan1 vlan trunk
Move two interfaces into a Layer 2 (L2) zone, and all other interfaces into the
unset interface e0/0 ip set interface e0/0 zone v1-trust unset interface e0/1 ip set interface e0/1 zone v1-untrust
Configure a management address on the virtual
set interface vlan1 ip 192.168.1.100/24 set route 0.0.0.0/0 interface vlan1 gateway 192.168.1.254
Then, configure a policy:
set policy from v1-untrust to v1-trust any any http permit
A server network should be secured, but addressing cannot be changed on the servers if it is hardcoded into applications. The easiest way to introduce a firewall is to put the firewall into transparent mode and include it between the servers and the next-hop router. However, servers are commonly connected to different VLANs.
In Figure 5-4, a firewall is introduced between the access layer switch and the distribution layer switch. The access layer switch is a Layer 2 device, and the distribution layer switch is usually a multilayer switch; hence, it supports virtual L3 VLAN interfaces. Multiple VLANs are configured for different servers. An 802.1Q trunk connects the access layer switch with the distribution layer switch. This is a typical data center design. The motivation for such a design is that the ...