Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  SSG5 VLAN Problem

    Posted 06-09-2009 01:22

    Hello !

     

    I recently purchased a SSG5 Firewall with the default license. I made it work very well with a really basic setup and that's Goood 🙂 Now I want to use VLAN on eth0/2 and I have some problems.
    I have 1 VLAN (for the moment, ID 3), I created the subinterfaces eth0/2.3 - IP address 192.168.5.254 - enabled ping and associated it to a L3 zone.

    I also have a switch with 802.1q support with my VLAN configurated and the trunk link connected to the eth0/2 physical interface.
    (HP Procurve 2650 - clients ports = "untagged" ; SSG port = "tagged" for all VLANS)

    I try to ping 192.168.5.254 from a pc in VLAN 3 (PC Address: 192.168.5.129).

    When I capture the output of the cable plugged into eth0/2 I see 802.1q arp tagged trafic (with VLAN ID 3 of course). I see the ssg 5 eth0/2 light blinking but it never answers the ping requests.
     

    I also tryed to enable dhcp on the subinterface eth0/2.3. But it doesn't work.


    Do you understand why ? did I miss something?


    I'm running version 6.1.0r2.0 of ScreenOS.


    Thank You !

    Message Edited by newbie_6 on 06-09-2009 01:25 AM
    Message Edited by newbie_6 on 06-09-2009 01:25 AM

    #SSG5
    #vlan


  • 2.  RE: SSG5 VLAN Problem

    Posted 06-09-2009 07:52
    Errr........I don't think firewall interfaces respond to ping by default


  • 3.  RE: SSG5 VLAN Problem

    Posted 06-09-2009 09:49

    Use the "get int eth0/2.3" CLI to find out if ping is enabled.

     

    You can enable ping via  "set interface ethernet0/2.3 manage ping"

     

    If you still have same issue, run the following commands

    debug flow basic

    set ff dst-ip 192.168.5.254

    set ff src-ip 192.168.5.254

    cl db

    <Start ping>

    get db str          > Post this output



  • 4.  RE: SSG5 VLAN Problem

    Posted 06-09-2009 22:23

    How did you try to configure the DHCP? Did you get some error?

     

    I managed to do it fine on my firewall. Did you remember to set up the pool and enable it on the interface? Without those things, it wont work.



  • 5.  RE: SSG5 VLAN Problem

    Posted 06-10-2009 01:17
    Hi Newbie,

    Did you enable PING on the SSG's  sub-interface?
    Do you see the SSGs entry in the ARP table of the client?

    You could try to see traffic with "debug flow basic" or "snoop" on the SSGs CLI.
    Also be sure to try to ping from the SSG and check if any of the clients is in its ARP table.



  • 6.  RE: SSG5 VLAN Problem
    Best Answer

    Posted 06-11-2009 03:33

    Thank You all!

     

    Ping was enabled on the interface but "debug flow basic" told me that there was some 802.1x problems. 802.1x was enabled. Arg. I just disabled it, and it works fine now.

     

     thank you again,