Screen OS

 View Only
last person joined: 11 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  NetScreen -- vlan retagging

    Posted 09-01-2009 05:41

    Hi All,

    I am experiencing some problems to configure a NetScreen 5200 FW (ScreenOS=6.2.0r3a.0) to act as a "vlan-retagger".

    I consider only a one-to-one vlan mapping and I do not need to have multiple vsys.

    did someone know if there is a documentation that address this issue ?

    I have already checked the user guide. unfortunately, exemples (in chapter 3 - depicted in page 71, 72 and 73) seems to be incomplete.

    I will appreciate any help ;(


    many thanks in advance.






  • 2.  RE: NetScreen -- vlan retagging

    Posted 09-01-2009 12:18

    Vlan retagging only supports in Transparent Mode.

    Unfortunately I am unable to find the complete doc with example , but I think it is good to start with that doc.




  • 3.  RE: NetScreen -- vlan retagging

    Posted 09-02-2009 07:07



    thank you Atif for you presence...

    I have fixed "partially" this issue...


    both FW ports are running in Transparent Mode.

    below is a partial view of my lab topology:



     towards L3SW (port A)   <-------------|  ns5200  |------------->  towards L3SW (port B)



    L3SW is my layer 3 switch


    when configuring the remote ports of my L3SW  as "trunk links" ---> it does not work

    when I configure these remote ports in "access mode" ---> it works


    the thing is that I need to configure these links as "trunk" because I will use mutiple vlans over each physical link

    so the question is: how to put local ports (of the FW) in "trunk mode" ?

    I already tried the command  "set interface vlan1 vlan trunk ". but it was rejected by the FW. Below is the output :


    ns5200-> set interface vlan1 vlan trunk can't set vlan trunk if there is any user define vlanID set ns5200->  


    any idea ?


    thank you in advance 😉






  • 4.  RE: NetScreen -- vlan retagging

    Posted 09-02-2009 10:29

    Vlan can be as the Trunk or the retagger not at the same time.

    Can you please confirm that you are trying to use both at the same time ?




  • 5.  RE: NetScreen -- vlan retagging

    Posted 09-02-2009 22:23



    your are right Atif. I am using the FW as a "vlan retagger" but in the other hand I need to configure the remote ports (on my L3SW) as "trunk links" because I need to send multiple vlans on each physical port.

    this is why, I have tried to use the command "set interface vlan1 vlan trunk".


    I don't know if a netscreen device (running in Transparent Mode and acting as a "vlan retagger") can handle multiple vlans on the same physical ports ? If it is possible to do such configurations, could you advise how ?


    many thanks in advance 😞




  • 6.  RE: NetScreen -- vlan retagging

    Posted 09-03-2009 11:48

    Firewall can be used as the Trunk or the Vlan-retagger  and cannot be used both  at the same time




  • 7.  RE: NetScreen -- vlan retagging

    Posted 09-03-2009 13:26

    Thank you (very much) Atif for your help 🙂


    situation is clear now


    Have a nice week-end.




  • 8.  RE: NetScreen -- vlan retagging
    Best Answer

    Posted 09-03-2009 13:30





    If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.


  • 9.  RE: NetScreen -- vlan retagging

    Posted 09-04-2009 01:21

    Hi Atif,


    I am sorry Atif to asking you again... but just to be sure !

    I want to avoid any confusion about the term "trunk"...



    ethernet2/1 <---[ns5200] ---> ethernet2/2


    I have the following :

     - both ports e2/1 & e2/2 are running in Transparent mode (they belongs to 2 differents Layer 2 security zones)

     - I have configured the FW to act as a vlan-retagger between VLAN a (present on e2/1) and VLAN b (present on e2/2)


    my the question is :

     - Is it true that:

        + If I keep both interfaces running in Transparent mode (ports affected to Layer 2 security zones), then

        + If I add VLAN c (on e2/1)  and VLAN d (on e2/2) --> I can not do vlan-retagging anymore ?


    Would you like to confirm this assertion ?


    Many thanks in advance.