Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  SSG5 W Include Built-In Wireless In Sub-Interface and VLAN

    Posted 06-30-2014 13:17

    Sorry if this sounds a bit silly but I am playing around with creating some VLANs on a switch and using a trunk port to connect to our SSG5-Serial-WLAN and I understand that the concept is as follows:

     

    1. Create a layer 3 zone for each VLAN

    2. Find an empty, unused, physical port that has no IP or Zone assigned to it

    3.Create a sub-interface using one of the layer 3 zones created for the VLANs, assign it to the physical port, and assign the VLAN Tag as well as an IP/Netmask

    4. Repeat for each VLAN and assign each sub-interface a different zone

    5. Configure policies and routes accordingly

     

    Please correct if these steps are wrong or missing something. Aside from that, my question is, is there any way to include the built in wireless to be part of one of these VLANs. I suppose that the tagging happens at the switch so I'm not sure how the Juniper could interject with the tagging on its own wireless. I'm just wondering if there is a way to have one of the built-in wireless interfaces to be on the same subnet as one of the VLANs. Is the only way out of this to connect a WAP to the switch doing the tagging? I also noticed that I am able to make a sub-interface on a bgroup but I have no idea what that can be used for. Sorry if this sounds confusing. Let me know if anything needs more clarity and thank you in advance for your time!



  • 2.  RE: SSG5 W Include Built-In Wireless In Sub-Interface and VLAN
    Best Answer

    Posted 06-30-2014 14:48

    You don't have to have an unused physical port.  The interface will tag the traffic based on which interface it is sent out.  It is not possible to create a subinterface on the wireless interfaces.  Each sub interface requires its own IP and subnet, and by default, they cannot overlap.  For example:

     

    set int eth0/0.1 tag 100

    set int eth0/0.1 ip 1.1.1.1/24


    set int eth0/1.1 tag 100

    set int eth0/1.1 ip 2.2.2.1/24

     

    If you try to configure eth0/1.1 with an ip of 1.1.1.2, it will fail.  There are ways around this, but it is not recommended as it can cause conflicts.

     

    Even though the interfaces have the same tag, they are not bundled together in any way.



  • 3.  RE: SSG5 W Include Built-In Wireless In Sub-Interface and VLAN

    Posted 07-01-2014 05:05

    This makes sense. Thank you so much for the info! So is this why you can create a subinterface on a bgroup? If so, do you simply treat it as a single interface? Would you be able to do the workaround by using different virtual routers? Either way, it does certainly sound messy and I would agree to avoid it. Thank you so much again!



  • 4.  RE: SSG5 W Include Built-In Wireless In Sub-Interface and VLAN

    Posted 07-01-2014 09:20

    Think of subinterfaces as dividing the physical interface into multiple interfaces.  If traffic comes in without a VLAN tag, it will go to the non sub interface.  You could get around this by using multiple VRs, but like you said, it gets messy.