Pulse Secure formerly SSL VPN
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 32
Registered: ‎07-08-2008
0 Kudos

802.1Q tagged VLANs on the internal port

Does anyone out there ever configured VLAN tagging on the internal port of the SA-4000 running 6.1R2? Does the internal port support tagging so that I can connect it to a tagged switchport?

 

Thanks 

Recognized Expert
Posts: 420
Registered: ‎03-24-2008

Re: 802.1Q tagged VLANs on the internal port

I've configured 802.1Q on the internal port of a SA6000 running 6.0r5.  Check out p. 600 of the admin guide.  If you have some specific questions, maybe I can help.
Contributor
Posts: 32
Registered: ‎07-08-2008
0 Kudos

Re: 802.1Q tagged VLANs on the internal port

Do you have to have an IVS license to do VLAN tagging? I notice that on version 6.0/6.1 there is VLAN menu but not on version 5.5 and therefore it supports it under version 6.1.

 

Thanks 

Recognized Expert
Posts: 420
Registered: ‎03-24-2008
0 Kudos

Re: 802.1Q tagged VLANs on the internal port

Sure looks that way, though I don't think you need to define IVSs to use VLANs.  I have a SA2000 and a SA6000 both running 6.0r5.  The SA6000 is licensed for IVS; the SA2000 is not.  VLANs do not show up on the menu on the SA2000.
Highlighted
Moderator
Posts: 2,347
Registered: ‎11-19-2007
0 Kudos

Re: 802.1Q tagged VLANs on the internal port

The root VLAN (internal default) cannot be tagged; however you can send other traffic to other VLANs tagged successfully.
Contributor
Posts: 32
Registered: ‎07-08-2008
0 Kudos

Re: 802.1Q tagged VLANs on the internal port

Thank you for the info. Would you mind point me to any reference on how to do it? I just wanted to put any authenticated user with ip subnet 192.168.240.20.0/24 tagged with, for example, VLAN-ID=111, and subnet 192.168.250.0/24 with VLAN-ID=112.

 

 

Thank you and greatly appreciated.

 

 

Recognized Expert
Posts: 420
Registered: ‎03-24-2008
0 Kudos

Re: 802.1Q tagged VLANs on the internal port

Assignment to VLANs is done on a role basis.  So, you need to do the following -

  1. Create the VLANs
  2. Create two roles and figure out how you are going to do role-mapping for the realm
  3. For each role, assign the VLAN in the VLAN/Source IP tab of the General setting for the role
  4. For each role, define NC Connection profiles which assign the appropriate address pool
Contributor
Posts: 32
Registered: ‎07-08-2008
0 Kudos

Re: 802.1Q tagged VLANs on the internal port

Thanks for the info. But how do you connect the SA400 Internal Port(which can not be tagged per your last post) to the tagged switchport on the other end? Thanks.
Recognized Expert
Posts: 420
Registered: ‎03-24-2008
0 Kudos

Re: 802.1Q tagged VLANs on the internal port

I'm not a switch expert, but what I remember is that the switch had an ability to tag untagged data coming from the Juniper, or to treat it like it was tagged with a "default" VLAN tag. 
Contributor
Posts: 32
Registered: ‎07-08-2008
0 Kudos

Re: 802.1Q tagged VLANs on the internal port

Thanks again for your patience. The internal port of SA4000 does not support tagging but it can send packet OUT with tagging information, is it right? If it is, how does the internal port process the returning packet(will have tagging info) IN to it ?

 

Thank you 

Contributor
Posts: 30
Registered: ‎03-04-2008
0 Kudos

Re: 802.1Q tagged VLANs on the internal port

Does the IVE support 802.1q trunking?  This is the only way I can see it supporting more than 2 vlans over a single interface. 

 

I've got an SA4000 as well and I'm trying to move our NetConnect users off of the same broadcast domain as the IVE's internal port.

Recognized Expert
Posts: 420
Registered: ‎03-24-2008

Re: 802.1Q tagged VLANs on the internal port

The SA does support VLAN trunking if you purchase the IVS license, which I think is pretty cheap if you need this functionality.

 

You connect the SA to a switchport configured for 802.1 trunking and specify a native VLAN (this will be for the untagged traffic from the SA.)  You then configure a VLAN in the network settings on the SA, giving the SA an address in that VLAN and specifying the default gateway for traffic sent to that VLAN.

 

To send NC traffic to the VLAN, you configure the VLAN/Source IP tab on the General section of the role configuration.  All traffic for that role will be sent to that VLAN.  The NC address pool must either assign users to the same subnet the VLAN address of the SA is in, or the default gateway router(s) must route the subnets which the NC addresses are in to the VLAN address of the SA, typically using static routes.

 

Hope this is helpful.

Contributor
Posts: 30
Registered: ‎03-04-2008
0 Kudos

Re: 802.1Q tagged VLANs on the internal port

[ Edited ]
I actually got this to work today...

I setup the VLAN in the IVE and applied it to the role.  On the switch, I created the necessary vlan and added one line to the port the IVE is connected to (this is a Cisco IOS switch) so that it looks like this:

switchport access vlan 10
switchport mode access
switchport nonegotiate
switchport voice vlan 11

This command is meant for IP phones with a workstation attached, but it accomplishes what I need.  This moves the tagged user traffic through the proper vlan (11) while keeping all untagged traffic on vlan 10.  The big limitation here is that this won't scale beyond just a single untagged vlan and a single tagged one, which is where a trunk would come in.

Regardless, I'm going to try it this weekend anyway to see if it works if I set the port to be a trunk port rather than an access port.
Message Edited by dcruz on 08-21-2008 04:11 PM
Message Edited by dcruz on 08-21-2008 04:12 PM
Recognized Expert
Posts: 420
Registered: ‎03-24-2008
0 Kudos

Re: 802.1Q tagged VLANs on the internal port

The port to the SA internal interface on my Cisco switch is configured as -

 

interface GigabitEthernet0/2
 description VRAliMUScingh13-1.2.3.4
 switchport trunk native vlan 2
 switchport trunk allowed vlan 2,100
 switchport mode trunk
 speed 100
 duplex full

 

This allows vlans 2 and 100, and marks untagged traffic as vlan 2.  Of course, you could modify the "switchport trunk allowed vlan 2,100" statement to allow any vlans you wanted to carry.

Contributor
Posts: 30
Registered: ‎03-04-2008
0 Kudos

Re: 802.1Q tagged VLANs on the internal port

I changed the port from an access port to a trunk port and it works fine.  I don't have an IVS license.
Contributor
Posts: 13
Registered: ‎09-16-2008
0 Kudos

Re: 802.1Q tagged VLANs on the internal port

Hi,

 


kenlars wrote:

Assignment to VLANs is done on a role basis.  So, you need to do the following -

  1. Create the VLANs
  2. Create two roles and figure out how you are going to do role-mapping for the realm
  3. For each role, assign the VLAN in the VLAN/Source IP tab of the General setting for the role
  4. For each role, define NC Connection profiles which assign the appropriate address pool

Can we do the same thing, but using a DHCP server instead of the Juniper SA local address pool? If yes, how can I do it?

 

Thanks.

Yves

Contributor
Posts: 32
Registered: ‎07-08-2008
0 Kudos

Re: 802.1Q tagged VLANs on the internal port

I don't have IVS license as well, how do you change the SA-4000 Internal Port from an Access Port to a Trunk Port?

 

Thanks in advance

Recognized Expert
Posts: 420
Registered: ‎03-24-2008
0 Kudos

Re: 802.1Q tagged VLANs on the internal port

Yves -

 

I've never used DHCP with VLANs, but I don't think there is any reason it would not work.  I assume the DHCP request would be sent over the VLAN associated with the role.

Contributor
Posts: 13
Registered: ‎09-16-2008
0 Kudos

Re: 802.1Q tagged VLANs on the internal port

Kenlars -

 

We try it and the DHCP request seems to always come from the default internal IP address as source address, not from the VLAN interface assigned by the role mapping.

 

If we use the Juniper local IP address pool, everything is OK, but when we use DHCP server, it doesn't works. The user receive the address assigned to his role.

 

Thanks.

Yves

Recognized Expert
Posts: 420
Registered: ‎03-24-2008
0 Kudos

Re: 802.1Q tagged VLANs on the internal port

Netadmin -

 

Others have reported in this thread that you get VLAN functionality even if you don't have the IVS license.  I don't see the VLAN tab on any of the SA's that I have on which I don't have an IVS license, and I see the tab on all SA's I have which have an IVS license.  The description of VLANs in the Admin Guide is within the IVS section.  It still is a mystery to me as to how you could define a VLAN if you do not have an IVS license.