Screen OS

Hello there!

I actually have a network composed of a Cisco 2800 router, attached to a switch.
They communicate through three 802.1q tagged VLANs (workstations, production, management).

I would like to put the NS50 between the router and the switch.

It is set to transparent mode, so the VLAN tagging stays.
All VLANs are working properly, but I can't reach the NS50 WebUI..

An IP is set for vlan1 interface, but it is unreachable..

Any ideas how I could access the WebUI through my management VLAN (tagged 30) on my NS50 set to transparent mode?


Thanks in advance for your replies and your help!

Hi,

 

Do you have manage access and appropriate routes on the vlan interface, Example : https://kb.juniper.net/InfoCenter/index?page=content&id=KB5532&actp=METADATA

 

Thanks,

Vikas

Hi Vikas, thanks for your answer!

 

I'll check the routes this afternoon, but I can access the WebUI when the trust interface is on an untagged port on the switch, but while doing this I can't reach the router anymore, as he runs on a tagged interface.

 

 

I also tried adding a new zone on the firewall attached to eth3 with management enabled and connected to an untagged port on the switch.

 

By using this way, and with only eth3 connected, I can access the WebUI with no problem as long as eth1 is disconnected, and at the opposite, when eth1 is connected and eth3 disconnected I can reach the router without any problem, but both connected won't work because it will create a loop and indefinitely repeat broadcasts...

Hi,

 

I understand that vlan1 is not working with tagged traffic and working when it's untagged. Can you please try making vlan1 trunk port:

 

set int vlan1 vlan trunk

 

Or if you could configure new vlan iterface as set int vlan(vlan number) zone (zone name)  <-- this could be platform specific and may not work on NS50.

 

Thanks,

Vikas

 

 

Hi,

 

I tried to make the vlan1 trunk port, but wether it is set or not, I still can't access the WebUI.

I also tried to retag my management vlan from actual tag 30 to tag 1, but won't help.

 

I'll try creating a new vlan this afternoon, and I'll give you a feedback about this asap.

 

Again, thanks for your help!

~Kiwis.

If nothing works then we can do a debug flow basic to see wha't happening with the incoming management traffic.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB12208

 

Thanks,

Vikas

When in transparent mode the mgmt vlan1 is always untagged.  ScreenOS expects the device to be in a single broadcast domain and the ip address for management in untagged frames.

 

I am pretty sure this is not configurable.

 

I would also test to see if ScreenOS can process rules on the tagged traffic.  The expectation of transparent mode is single broadcast domain.  So there is a possibility you will not be able to inspect and write rules against the tagged traffic.

Hi,

 

Hmm okay, what could then be the solution? Putting the NS50 in L3 mode with as many sub IFs as vlans?

Or maybe placing it in front of the router? But then I'm not sure how to access the WebUI..

 

Any advice of how I could set everything up?

 

Thanks!

~Kiwis.

This is an unusual setup.  But I think it should work.

 

Add the desired interfaces to a bgroup

 

create sub interfaces on the bgroup for each vlan and assign the necessary tag

on the mgmt vlan also assign an ip address to the subinterface

enable the mgmt service options on that subinterface so you can access the web UI from there

Hi,

 

Thanks to both of you!

 

I'll make it this way, we'll see if it works.

I think it will also be easier to manage trafic that is flowing through the FW.

 

 

Again, thanks for your help!

~Kiwis.