Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Add SubIF on existing interface, interference?

    Posted 03-01-2011 06:58

    Hi,

     

    A simple question:

     

    We have a Juniper SSG140, ScreenOS5.4 and we are about to replace it.

     

    I want to make changes to an interface which is currently in use: i want to create a SubIF on it.

     

    When adding this SubIF to this interface, is this going to interfere the network traffic or can i just easily change this during production hours? (IP of the SubIF is going to be in a total different range/subnet)

     

    Regards,

    J



  • 2.  RE: Add SubIF on existing interface, interference?
    Best Answer

    Posted 03-01-2011 07:28

    Hi

     

    You can only add sub-interfaces to an unnumbered interface.

     

    You will have to remove the ip address and VLAN tagging, then create your sub-interfaces, and then add the IP address and VLAN numbers to the sub-interfaces.

     

    Ta

     

    Jude



  • 3.  RE: Add SubIF on existing interface, interference?

    Posted 03-01-2011 07:42

    SaffaJay:

     

    The interface in use right now only has one IP address, no vlan tag on it or whatsoever. It is a simple interface.



  • 4.  RE: Add SubIF on existing interface, interference?

    Posted 03-01-2011 08:53

    You can add your sub-if and just define the VLAN tag, IP, subnet mask, etc.  It won't interfere with your primary interface.  That being said -- always be careful making changes during production hours.  A simple typo *could* cause you an outage.  If you use the WebUI it's pretty safe...



  • 5.  RE: Add SubIF on existing interface, interference?

    Posted 03-01-2011 11:12

    Thanks Keith,

     

    We have another SSG140 which is standby using NSRP. Will the new SubIF's be replicated to the standby unit?



  • 6.  RE: Add SubIF on existing interface, interference?

    Posted 03-01-2011 12:40

    If you are running NSRP active/passive and you have "config sync" enabled for your cluster, then changes you make on the primary are replicated to the secondary. 



  • 7.  RE: Add SubIF on existing interface, interference?

    Posted 03-01-2011 14:18

    Hmmm... no idea about that. All policy settings and stuff are being replicated, i just remember something i read somewhere that stated something about 'interface settings are not being synchonized between NSRP members".

     

    We use firmware 5.4r3.



  • 8.  RE: Add SubIF on existing interface, interference?

    Posted 03-01-2011 16:38

    I would have to go digging through the documentation to find out for sure on that version... but I think if you have "set nsrp config sync" set on both nodes, it should work.

     

    You can always make the change on the primary, then log into the secondary and see if the change is there.  If not, you could try a "exec nsrp sync global-config save" command from the primary node.

     

    If all else fails and they won't sync that part of the config...  then just mirror the changes manually on the backup device.