Screen OS

Hello,

 

Would anyone kindly show me how to setup three VLAN on the SSG5 and Netgear ProSafe GS748T Gigabit Smart Switch? The three VLAN must not communicate and have their own DHCP servers on the the SSG5?

 

I think I kind of got the switch setup. But the SSG5 is getting me so confused. ScreenOS is would be easiest for me. I'm not familiar with CLI.

 

I'm using the latest firmware on both devices.

 

VLAN1 is for internal clients. ports 1-36 on switch

VLAN2 is for public servers. ports 37-46 on switch

VLAN3 is for a guest LAN and AP/ROUTER. ports 47,48 on switch

 

I don't know what is the best way to utilize the ports on the SSG5, also? Should I have a cable for each VLAN to one separate port on the SSG5, in individual bgroups?

 

We also have 5 or 8 public static IP from the ISP, with one mandatory primary one.

 

Thanks anyone in advance!!

Hi,

 

VLAN implementation is ScreenOS is done using 'sub-interfaces'. A sub interface is a logical interface, bound to a physical interface and distinguished through a VLAN tag.

 

Before you configure the SSG, you need to figure out the physicla layout. Do you want to use a singly physical interface or multiple interfaces?

 

In case of 1 interface, you can create 3 seperate sub-interfaces under it. For example, if e1/1 is the interface, create e1/1.1, e1/1.2 and e1/1.3, each bound to their own VLAN, subnet etc., You can configure DHCP server on individual sub interfaces. You can then connect e1/1 to the trunk port of your switch.

 

In case of multiple physical interfaces, create sub-interfaces under each interface as above and proceed with VLAN assignment and IP configuration.

Hello,

 

Thanks for your reply. I wouldn't mind using multiple ports, one for each VLAN if I can somehow get the first one to work.

 

For my first attempt to have all VLAN pass thru one port, I created a sub-IF under bgroup0 (bgroup0 only has interface 0/2). The new sub-IF is bgroup0.1 with activated DHCP Server activated and VLAN ID4.  VLAN4 Wi-Fi for DHCP clients aren't getting IP address when connected to a TP-Link WL-WR940N set as just an access point connected to the switch, then the switch to the SSG5.

 

 

 

I'm also unable to remove bgroup0.1. It constantly says it's in use. I can't remove IP or set it to null.

 

I

 

 

 

I should use port interface sub-IF instead?

Hi,

 

Does your switch insert the VLAN tag to packets before forwarding them out to the firewall? If packets hit the sub-in without VLAN tag, they will be dropped.

 

Hello Gokul,

Yes, I'm able to tag the VLANS with id#. Oddily, I got it to work last night with the first secondary VLAN. using 192.168.10.x and a id of 4.

 

When I added a new VLAN with a id of 5 using 192.168.5.1; and changed the fourth from 192.168.10.1 to 192.168.4.1 all three VLAN with Route; it stopped passing thru the DHCP ip to clients for VLAN 4 and 5.

 

the default and VLAN 4 interfaces were set to NAT for some reason last night.

I finally got it to work again. But, instead of Sub-IF of a port. I got it to work under Sub-IF of bgroup0. I couldn't add a Sub-IF under my active port 0/2, nor was I able to remove Sub-IF bgroup0.1.

But, now, MIP or VIP to one of my new VLAN clients doesn't work.

Hi,

 

Did you get the VIP/MIPs to work?

Hello Gokul,

 

I got VIP and MIP to work.

 

But, for some reason now the DHCP client getting IPs from the SSG5 on VLAN4 or VLAN5 is not working again.

 

Cleints would always get IP addresses for the main VLAN.