ScreenOS Firewalls (NOT SRX)
Reply
Visitor
nvoth
Posts: 2
Registered: ‎07-11-2012
0

Help with SSG 320 in Transparent Mode in VLAN Tagged network

Hello,

 

We have an SSG 320 in transparent mode. It needs to pass serveral different VLAN tags from the untrusted side to the trusted side. I've figured out how to do that with:

 

   set interface vlan1 vlan trunk

 

However, once I put the firewall in place, I can no longer get to the VLAN1 interface for managment. I assume that's because I need to be tagging the traffic to/from the VLAN1 interface, but I don't know how to do that. I can't find a way to directly assign a VLAN tag to VLAN1, so I assume some kind of sub interface needs to be added, but I can't create "interface vlan1.600" which is the tag we'd need for the IP subnet assigned to the VLAN1 IP interface.

 

Any help on this would ge greatly appreciated. I'm sure it's something simple I'm missing.

 

Thanks,

 

-Nick

Contributor
adgwytc
Posts: 81
Registered: ‎08-09-2010
0

Re: Help with SSG 320 in Transparent Mode in VLAN Tagged network

I dont know if this is the same on the 320 as I have only set this up for VLANs on the 5, 20 and 140, however, it is achieved on these through the interface level as follows:-

 

GUI (Jweb)

 

1: Network / Interfaces / List

2: Top right hand corner there is a drop down list, choose Sub-if and click "New"

3: Interface name (Whatever the sub interface is (remember this has to be a sub of the main interface you are utilising)

4: Zone name (Whatever zone you are placing the interface in - important for the policy rules)

5: IP Address and netmask (Whatever your addresses and masks are)

6: VLAN Tag (This is where you place your vlan tag for the trunk)

 

Then complete the rest as you want to complete it.

 

Hope this helps, if not, say what else is causing problems.

 

Distinguished Expert
spuluka
Posts: 2,554
Registered: ‎03-30-2009
0

Re: Help with SSG 320 in Transparent Mode in VLAN Tagged network

[ Edited ]

adgwytc lists the correct procedure but your issue is that the vlan1 interface is a special one just for managment access on the device.  You cannot use this interface for transit traffic sub-interfaces.

 

You will create the sub-interfaces on the physical port that is connected to your switch trunk port.

 

Also note that the sub-interface number is NOT the vlan tag but just an internal number for screenOS to track them.  They start a 1 and there is a limit on large this can be by device.  The tag is explicitly configured as a separate parameter.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Visitor
nvoth
Posts: 2
Registered: ‎07-11-2012
0

Re: Help with SSG 320 in Transparent Mode in VLAN Tagged network

This makes sense guys. I'll give that a shot. Thanks again for your help.

 

-Nick

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.