Hi,

You can refer the C&E guide, volume 2

http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_fundamentals.pdf

Thanks,

Hardeep

The ScreenOS terminology for this is "sub-interface"  VLAN in the interface is only used in transparent mode for the box management.  The basic steps are to create a sub-interface and assign the vlan tag and the zone.  You can also give this an ip address if needed.

To set a vlan on an interface, use:
unset int e0/1 IP
unset int e0/1 zone
set zone name zone10
set zone name zone20
set interface ethernet0/1.1 tag 10 zone zone10
set interface ethernet0/1.2 tag 20 zone zone20
set interface ethernet0/1.1 ip 192.168.10.1/24
set interface ethernet0/1.2 ip 192.168.20.1/24

For the instructions on implementing vlan subinterfaces you'll need the screenos documentation for the version loaded on your device. 

The configuration of vlans is covered in volume 10 "Virtual Systems".

http://www.juniper.net/techpubs/software/screenos/screenos6.2.0/index.html

Thanks very much, greatly appreciated.

- aurfalien

Hi,

Since I am using bgroups and assingning physical ports to them, can I create subinterfaces on my unused ports and assign a subinterface to a bgroup?

For example, I have;

bgroup0 and bgroup1

2 untrust ports, each to a different ISP (WAN).

I have several spare ports currently split to bgroup0 and 1 and are trusted (LAN).

I assume that I would;

1) Take a few of those currenlty assigned trusted physical ports and un assign them from bgroup0 and/or 1.

2) Create 2 subinterfaces on each physical interface.

3) Assign each subinterface to its respective bgroup.

- aurf

No, unfortunately subinterfaces cannot belong to a bgroup.

I have not tested this, but you could try this

• Put the subinterface into the same zone as your bgroup
• leave the ip address unfigured so the interface is layer 2

Then see if the devices on the bgroup can see those on the subinterface vlan connection.

Leave the interfaces bound to the bgroup, and then create a subinterface of the bgroup itself.

Wow, seems like a very eleganty solution.

TAC couldn't really help me on this one.

Would I need a static route or will packets route?

I have a DHCP server on bgroup0 and wondering if bgroup0.1 will get DHCP passed through it?

I would assume that no static route is needed because its a sub bgroup so we have properties that are inherited from its bgroup parent of sorts?

Thanks again for the post, the sub bgroup is very very slick!

- aurf

No, you do not need static routes. Connected routes are automatically installed for the subnets defined on your subinterfaces.

As for DHCP, you'll need to enable DHCP server on each on the subinterfaces for each of the corresponding subnet where you need DHCP service.

Thing is that I already have a DHCP server on that network so is it possible to pass traffic to the sub bgroup?

So for example I have 2 bgroups;

bgroup0

10.0.10.1/16

bgroup1

192.168.1.1/24

I then create bgroup0.1 to have 192.168.1.2/24 with as vlan tag of 20.

And bgroup 1.1 to have 10.0.10.2/16 with a vlan tag of 10.

I have a DHCP server some where on bgroup0 that I would like to reach bgroup1.1.

Like wise, I also have a DHCP server on brgoup1 that I would like to reach bgroup0.1.

What I am trying to achieve is a WiFi AP capable of supporting a few diff networks via VLANs and having my physical interface support both LANs in house; 10.0.10.0/16 and 192.168.1.0/24.

- aurf