03-22-2012 05:36 PM
Would any one mind pointing to were I can get documentation specific for setting up VLANs on my SSG5 and SSG140?
I suspect the same doc will apply to both as they run ScreenOS but I just wanted to be through in my product description.
I would like some of the same interfaces on my SSGs to support 2 diff networks.
Thanks in advance.
03-23-2012 04:01 AM
The ScreenOS terminology for this is "sub-interface" VLAN in the interface is only used in transparent mode for the box management. The basic steps are to create a sub-interface and assign the vlan tag and the zone. You can also give this an ip address if needed.
To set a vlan on an interface, use: unset int e0/1 IP unset int e0/1 zone set zone name zone10 set zone name zone20 set interface ethernet0/1.1 tag 10 zone zone10 set interface ethernet0/1.2 tag 20 zone zone20 set interface ethernet0/1.1 ip 192.168.10.1/24 set interface ethernet0/1.2 ip 192.168.20.1/24
For the instructions on implementing vlan subinterfaces you'll need the screenos documentation for the version loaded on your device.
The configuration of vlans is covered in volume 10 "Virtual Systems".
03-29-2012 03:06 PM
Since I am using bgroups and assingning physical ports to them, can I create subinterfaces on my unused ports and assign a subinterface to a bgroup?
For example, I have;
bgroup0 and bgroup1
2 untrust ports, each to a different ISP (WAN).
I have several spare ports currently split to bgroup0 and 1 and are trusted (LAN).
I assume that I would;
1) Take a few of those currenlty assigned trusted physical ports and un assign them from bgroup0 and/or 1.
2) Create 2 subinterfaces on each physical interface.
3) Assign each subinterface to its respective bgroup.
03-31-2012 04:42 AM
No, unfortunately subinterfaces cannot belong to a bgroup.
I have not tested this, but you could try this
Then see if the devices on the bgroup can see those on the subinterface vlan connection.
04-03-2012 04:38 PM
Wow, seems like a very eleganty solution.
TAC couldn't really help me on this one.
Would I need a static route or will packets route?
I have a DHCP server on bgroup0 and wondering if bgroup0.1 will get DHCP passed through it?
I would assume that no static route is needed because its a sub bgroup so we have properties that are inherited from its bgroup parent of sorts?
Thanks again for the post, the sub bgroup is very very slick!
04-03-2012 04:58 PM
No, you do not need static routes. Connected routes are automatically installed for the subnets defined on your subinterfaces.
As for DHCP, you'll need to enable DHCP server on each on the subinterfaces for each of the corresponding subnet where you need DHCP service.
04-03-2012 05:30 PM
Thing is that I already have a DHCP server on that network so is it possible to pass traffic to the sub bgroup?
So for example I have 2 bgroups;
I then create bgroup0.1 to have 192.168.1.2/24 with as vlan tag of 20.
And bgroup 1.1 to have 10.0.10.2/16 with a vlan tag of 10.
I have a DHCP server some where on bgroup0 that I would like to reach bgroup1.1.
Like wise, I also have a DHCP server on brgoup1 that I would like to reach bgroup0.1.
What I am trying to achieve is a WiFi AP capable of supporting a few diff networks via VLANs and having my physical interface support both LANs in house; 10.0.10.0/16 and 192.168.1.0/24.