Screen OS

Have a SSG320 with a fiber connection to a cisco 3560 switch via int e3/1. I need to pass 2 vlans over this trunk (vlan 540, 900) I have 3/1.1 with IP address 172.21.59.65/28 tag 540 and ping enabled. I have the Cisco switch with g0/49 set to encapsulation dot1q, mode trunk, native vlan 540, and allowing vlan 540 and 900. On the switch is vlan 540 with ip address 172.21.59.66/28. The problem is I can not ping the switch from the firewall even when sourced from e3/1.1. No firewall policy needed. I also can not ping the firewall from the swtich. I connected a laptop to an access port on the 3560 and put in vlan 540. The latop has Ip address 172.21.59.67/28. I can not ping the firewall from the laptop.

After working with JTAC we discovered using snoop that the switch is not tagging the frames. Im not sure if I have a Cisco or Juniper problem at this point so if someone could give the configs a look that would be awesome. I never expected this to be such a problem. Should be easy!

The debug, the ssg and cisco config are in the single .txt file attachement. thanks!

Thanks in advance!

Attachment(s)

Conifgs_18Dec2010.txt   19 KB 1 version

I don't work with Cisco much, but I am pretty sure that in the Cisco world the native vlan will always be untagged.  I think you need to add the vlans to the trunk port without designating either of them as native mode.

Solved. Once I removed the native vlan statement from the Cisco switch, everything worked as expected. Is there a way to set the native vlan on the firewall? Just curious. Thanks!

The equivalent of the "native vlan" on the SSG would be configuring the ethernet interface without creating a sub-if.

From your config:

set interface "ethernet3/1.1" tag 540 zone "OOB-3560"
set interface "ethernet3/1.2" tag 900 zone "HSGR-ADMS-OOB"
...
set interface ethernet3/1.1 ip 172.21.59.65/28
set interface ethernet3/1.1 route
set interface ethernet3/1.2 ip 192.168.202.20/24
set interface ethernet3/1.2 route

You have VLAN 540 tagged on eth3/1.1, and 900 tagged on eth3/1.2.  Let's say you had VLAN 400 configured on your Cisco for the 172.10.10.0/24 network as an example -- your Cisco config might look something like this:

interface Vlan540
 ip address 172.21.59.66 255.255.255.240
!
interface Vlan400
 ip address 172.10.10.1 255.255.255.0
!
...
interface GigabitEthernet0/49
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 400
 switchport trunk allowed vlan 400,540,900
 switchport mode trunk
!

That would send your 540 and 900 VLANs tagged with 802.1Q frames, and your 400 VLAN untagged to interface eth3/1 on your SSG.  On the SSG side, you would just configure ethernet 3/1 like so:

set interface ethernet3/1 ip 172.10.10.2/24
set interface ethernet3/1 route

Since the frames are untagged, you don't have to configure a sub-if or VLAN tag.

Steve is right, remove the "switchport trunk native vlan 540" from interface g0/49.  That will send both VLANs 540 and 900 with 802.1Q tags.