Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  SSG350M with ScreenOS 6.3 multiple ip addresses on a single port

    Posted 10-17-2013 05:04

    I'm trying to set up this device for the first time.  On the trust side of the firewall, I have two subnets.  I've been reading the documents, but I am still not sure how to assign multiple ipv4 addresses to the same interface.  Any suggestions would be greatly appreciated.  Oh, I'm not run any 802.1Q VLANs, just running both subnets across the same physical switch.



  • 2.  RE: SSG350M with ScreenOS 6.3 multiple ip addresses on a single port
    Best Answer

    Posted 10-17-2013 06:57

    From ScreenOS Admin Guide

     

    NOTE: You cannot set multiple secondary IP addresses for interfaces in the Untrust
    zone.

     

    Each ScreenOS interface has a single, unique primary IP address. However, some
    situations demand that an interface have multiple IP addresses. For example, an
    organization might have additional IP address assignments and might not wish to
    add a router to accommodate them. In addition, an organization might have more
    network devices than its subnet can handle, as when there are more than 254 hosts
    connected to a LAN. To solve such problems, you can add secondary IP addresses
    to an interface in the Trust, DMZ, or user-defined zone.

     

    Secondary addresses have certain properties that affect how you can implement
    such addresses. These properties are as follows:
    ■ There can be no subnet address overlap between any two secondary IP addresses.
    In addition, there can be no subnet address overlap between a secondary IP and
    any existing subnet on the security device.
    ■ When you manage a security device through a secondary IP address, the address
    always has the same management properties as the primary IP address.
    Consequently, you cannot specify a separate management configuration for the
    secondary IP address.

    You cannot configure a gateway for a secondary IP address.
    ■ Whenever you create a new secondary IP address, the security device
    automatically creates a corresponding routing table entry. When you delete a
    secondary IP address, the device automatically deletes its routing table entry.

     

    Enabling or disabling routing between two secondary IP addresses causes no change
    in the routing table. For example, if you disable routing between two such addresses,
    the security device drops any packets directed from one interface to the other, but
    no change occurs in the routing table.
    In this example, you set up a secondary IP address—192.168.2.1/24—for ethernet0/1,
    an interface that has IP address 10.1.1.1/24 and is bound to the Trust zone.

     

    WebUI
    Network > Interfaces > Edit (for ethernet0/1) > Secondary IP: Enter the following,
    then click Add:
    IP Address/Netmask: 192.168.2.1/24
    CLI
    set interface ethernet0/1 ip 192.168.2.1/24 secondary
    save



  • 3.  RE: SSG350M with ScreenOS 6.3 multiple ip addresses on a single port

    Posted 10-17-2013 07:19

    Thanks!  I just found that section in the ScreenOS Reference Guide for 6.3.  🙂

     

    Thanks Again!