SSL VPN
Reply
Recognized Expert
kenlars
Posts: 420
Registered: ‎03-24-2008
0

Re: 802.1Q tagged VLANs on the internal port

Ives -

 

Have you tried it with the default VLAN for the IVS set to the VLAN you are assigning?  I think the SA sends all management traffic, which might include the DHCP request, over the default VLAN.  This would also mean, however, that the authentication, logging, archiving data, etc., from the IVS would also be put on that VLAN.  Not sure if this configuration would work for you...

Contributor
netadmin
Posts: 32
Registered: ‎07-08-2008
0

Re: 802.1Q tagged VLANs on the internal port

Are you running the recent firmware? The previous version I had, 5.5R2 don't have a VLAN tab, but when I upgraded to 6.1R2 it has the VLAN tab that enable us to create 2 or more VLANs etc, though I'm having a hard time to enable tagging on the Internal Port to support those VLANs. Anyone?

 

Thanks

Recognized Expert
kenlars
Posts: 420
Registered: ‎03-24-2008
0

Re: 802.1Q tagged VLANs on the internal port

I'm on 6.0R5 with a hotfix.  It must be that VLANs were added to the basic set in 6.1.

 

You don't have to do anything special to tell the SA to do 802.1q trunking.  All you have to do is to define the VLANs.  You do have to configure your switch to let it know this is a trunk port rather than an access port.

Contributor
Yves
Posts: 13
Registered: ‎09-16-2008
0

Re: 802.1Q tagged VLANs on the internal port

Kenlars -

 

We have a SA 6500 with 6.2R2-1 in test. We dont have IVS license.

 

We have the default VLAN with two others VLAN configured on the internal interface. Effectively the DHCP request work fine if we assign the default VLAN with a role.

 

Thanks

Yves

Regular Visitor
GarethM
Posts: 5
Registered: ‎09-22-2008
0

Re: 802.1Q tagged VLANs on the internal port

Hi Yves,

 

I have came across the same problem myself. I am in a position where I need to assign static IP to users connecting via NC and want to reserve addresses for them to 'ease' the management.

 

I have set the role in its own vlan but a capture on my DHCP server shows the source address as being the default internal IP address, not the VLAN the NC profile belongs to.

 

Did you have any luck or are you going to just use the default internal IP address rather than vlanning it off.

 

Cheers,

Gareth

Recognized Expert
kenlars
Posts: 420
Registered: ‎03-24-2008
0

Re: 802.1Q tagged VLANs on the internal port

Gareth -

 

Have you set the VLAN/Source IP under the General tab for the role to select the desired VLAN?

 

Ken

Regular Visitor
GarethM
Posts: 5
Registered: ‎09-22-2008
0

Re: 802.1Q tagged VLANs on the internal port

Hi Ken,

 

Yep I have selected that and like Yves, when I use the IVE to issue DHCP it is cool but when I point it to my DHCP server, the DHCP server receives packets with the source address of the default internal vlan.

 

After the post I actually tried adding a static route for my DHCP server in the NC VLAN route table but unfortunately did not work, DHCP server still received DHCP request from default internal vlan.

 

Cheers,

Gareth

Recognized Expert
kenlars
Posts: 420
Registered: ‎03-24-2008

Re: 802.1Q tagged VLANs on the internal port

Gareth -

 

I recommend you open a JTAC case.  It would seem to me that any DHCP request should be sent from the SA's address on the specified VLAN for the role, and that clearly is not occurring.  In the admin manual, there is a section on using a shared DHCP server for multiple IVSs, with some way for the DHCP server to differentiate between the requests.  So you might be able to do what you want to do if you implement IVSs.  I'd see this as a workaround, not as a permanent correction to the problem.

 

I'm seeing the same behavior with an autoproxy PAC file I have which uses the source IP address of the client to make decisions about the correct proxy.  When the SA is creating the instantproxy.pac file, it clearly fetches the PAC file from the source address of the default VLAN for the IVS instead of the source address of the VLAN assigned to the role.  I've found a workaround for this - the PAC file allows the source IP to be hard-coded in the URL instead of getting it from the client address - but I don't think I should have to use this workaround.

Contributor
Tigeli
Posts: 11
Registered: ‎09-26-2008
0

Re: 802.1Q tagged VLANs on the internal port

Hi,

 

I opened a case for this even I have the IVS feature enabled but I do not want to make a new IVS for every VLAN which we want to enable NC and have DHCP server enabled. =)

 

Br,

Pasi

Contributor
Yves
Posts: 13
Registered: ‎09-16-2008
0

Re: 802.1Q tagged VLANs on the internal port

Hi,

 

We will open a JCARE case for this even. we want to know if it's a bug or if it's not supported.

 

Thanks,

Yves

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.