09-16-2008 12:04 PM
Assignment to VLANs is done on a role basis. So, you need to do the following -
- Create the VLANs
- Create two roles and figure out how you are going to do role-mapping for the realm
- For each role, assign the VLAN in the VLAN/Source IP tab of the General setting for the role
- For each role, define NC Connection profiles which assign the appropriate address pool
Can we do the same thing, but using a DHCP server instead of the Juniper SA local address pool? If yes, how can I do it?
09-16-2008 12:34 PM
I've never used DHCP with VLANs, but I don't think there is any reason it would not work. I assume the DHCP request would be sent over the VLAN associated with the role.
09-16-2008 12:53 PM
We try it and the DHCP request seems to always come from the default internal IP address as source address, not from the VLAN interface assigned by the role mapping.
If we use the Juniper local IP address pool, everything is OK, but when we use DHCP server, it doesn't works. The user receive the address assigned to his role.
09-16-2008 12:55 PM
Others have reported in this thread that you get VLAN functionality even if you don't have the IVS license. I don't see the VLAN tab on any of the SA's that I have on which I don't have an IVS license, and I see the tab on all SA's I have which have an IVS license. The description of VLANs in the Admin Guide is within the IVS section. It still is a mystery to me as to how you could define a VLAN if you do not have an IVS license.
09-16-2008 01:03 PM
Have you tried it with the default VLAN for the IVS set to the VLAN you are assigning? I think the SA sends all management traffic, which might include the DHCP request, over the default VLAN. This would also mean, however, that the authentication, logging, archiving data, etc., from the IVS would also be put on that VLAN. Not sure if this configuration would work for you...
09-16-2008 01:18 PM
Are you running the recent firmware? The previous version I had, 5.5R2 don't have a VLAN tab, but when I upgraded to 6.1R2 it has the VLAN tab that enable us to create 2 or more VLANs etc, though I'm having a hard time to enable tagging on the Internal Port to support those VLANs. Anyone?
09-16-2008 01:24 PM
I'm on 6.0R5 with a hotfix. It must be that VLANs were added to the basic set in 6.1.
You don't have to do anything special to tell the SA to do 802.1q trunking. All you have to do is to define the VLANs. You do have to configure your switch to let it know this is a trunk port rather than an access port.
09-17-2008 11:56 AM
We have a SA 6500 with 6.2R2-1 in test. We dont have IVS license.
We have the default VLAN with two others VLAN configured on the internal interface. Effectively the DHCP request work fine if we assign the default VLAN with a role.
09-23-2008 10:57 PM
I have came across the same problem myself. I am in a position where I need to assign static IP to users connecting via NC and want to reserve addresses for them to 'ease' the management.
I have set the role in its own vlan but a capture on my DHCP server shows the source address as being the default internal IP address, not the VLAN the NC profile belongs to.
Did you have any luck or are you going to just use the default internal IP address rather than vlanning it off.
09-24-2008 05:21 PM
Yep I have selected that and like Yves, when I use the IVE to issue DHCP it is cool but when I point it to my DHCP server, the DHCP server receives packets with the source address of the default internal vlan.
After the post I actually tried adding a static route for my DHCP server in the NC VLAN route table but unfortunately did not work, DHCP server still received DHCP request from default internal vlan.
09-25-2008 08:04 AM
I recommend you open a JTAC case. It would seem to me that any DHCP request should be sent from the SA's address on the specified VLAN for the role, and that clearly is not occurring. In the admin manual, there is a section on using a shared DHCP server for multiple IVSs, with some way for the DHCP server to differentiate between the requests. So you might be able to do what you want to do if you implement IVSs. I'd see this as a workaround, not as a permanent correction to the problem.
I'm seeing the same behavior with an autoproxy PAC file I have which uses the source IP address of the client to make decisions about the correct proxy. When the SA is creating the instantproxy.pac file, it clearly fetches the PAC file from the source address of the default VLAN for the IVS instead of the source address of the VLAN assigned to the role. I've found a workaround for this - the PAC file allows the source IP to be hard-coded in the URL instead of getting it from the client address - but I don't think I should have to use this workaround.
09-26-2008 09:09 AM
I opened a case for this even I have the IVS feature enabled but I do not want to make a new IVS for every VLAN which we want to enable NC and have DHCP server enabled. =)