03-22-2012 05:36 PM
Would any one mind pointing to were I can get documentation specific for setting up VLANs on my SSG5 and SSG140?
I suspect the same doc will apply to both as they run ScreenOS but I just wanted to be through in my product description.
I would like some of the same interfaces on my SSGs to support 2 diff networks.
Thanks in advance.
03-23-2012 04:01 AM
The ScreenOS terminology for this is "sub-interface" VLAN in the interface is only used in transparent mode for the box management. The basic steps are to create a sub-interface and assign the vlan tag and the zone. You can also give this an ip address if needed.
To set a vlan on an interface, use: unset int e0/1 IP unset int e0/1 zone set zone name zone10 set zone name zone20 set interface ethernet0/1.1 tag 10 zone zone10 set interface ethernet0/1.2 tag 20 zone zone20 set interface ethernet0/1.1 ip 192.168.10.1/24 set interface ethernet0/1.2 ip 192.168.20.1/24
For the instructions on implementing vlan subinterfaces you'll need the screenos documentation for the version loaded on your device.
The configuration of vlans is covered in volume 10 "Virtual Systems".
03-29-2012 03:06 PM
Since I am using bgroups and assingning physical ports to them, can I create subinterfaces on my unused ports and assign a subinterface to a bgroup?
For example, I have;
bgroup0 and bgroup1
2 untrust ports, each to a different ISP (WAN).
I have several spare ports currently split to bgroup0 and 1 and are trusted (LAN).
I assume that I would;
1) Take a few of those currenlty assigned trusted physical ports and un assign them from bgroup0 and/or 1.
2) Create 2 subinterfaces on each physical interface.
3) Assign each subinterface to its respective bgroup.
03-31-2012 04:42 AM
No, unfortunately subinterfaces cannot belong to a bgroup.
I have not tested this, but you could try this
Then see if the devices on the bgroup can see those on the subinterface vlan connection.
04-03-2012 04:38 PM
Wow, seems like a very eleganty solution.
TAC couldn't really help me on this one.
Would I need a static route or will packets route?
I have a DHCP server on bgroup0 and wondering if bgroup0.1 will get DHCP passed through it?
I would assume that no static route is needed because its a sub bgroup so we have properties that are inherited from its bgroup parent of sorts?
Thanks again for the post, the sub bgroup is very very slick!
04-03-2012 04:58 PM
No, you do not need static routes. Connected routes are automatically installed for the subnets defined on your subinterfaces.
As for DHCP, you'll need to enable DHCP server on each on the subinterfaces for each of the corresponding subnet where you need DHCP service.
04-03-2012 05:30 PM
Thing is that I already have a DHCP server on that network so is it possible to pass traffic to the sub bgroup?
So for example I have 2 bgroups;
I then create bgroup0.1 to have 192.168.1.2/24 with as vlan tag of 20.
And bgroup 1.1 to have 10.0.10.2/16 with a vlan tag of 10.
I have a DHCP server some where on bgroup0 that I would like to reach bgroup1.1.
Like wise, I also have a DHCP server on brgoup1 that I would like to reach bgroup0.1.
What I am trying to achieve is a WiFi AP capable of supporting a few diff networks via VLANs and having my physical interface support both LANs in house; 10.0.10.0/16 and 192.168.1.0/24.
04-03-2012 07:17 PM
Attached is a simple diagram.
Pictured is my SSG140 with 9 interfaces. I labled them 0-9 but they are really 0/0 - 0/9.
Also, bgroup0 as labeled in the diagram is really bgroup 0/0 as per Juniper.
Interface 0 is connected to an ISP and is associated with bgroup0.
Interface 9 is connected to a different ISP and is associated with bgroup1.
Interface 1 which is bound to brgoup0 is connected to a switch which has a DHCP server connected to it.
Interface 8 is bound to bgroup1 but has nothing connected to it.
Interfaces 2,3,.4 have 3 WAPs connected for proper WiFi coverage as our facility is large with poor reception.
Each WAP is to support 2 SSIDs or 2 WiFi networks, the 10.0.10.0/16 network and the 192.168.1.0/24 network.
Since each WAP has only one ethernet but supports VLANs, I wanted to leverage this against the SSG140s capabilities in passing VLAN traffic to the correct network.
Does this make sense?
04-03-2012 08:07 PM
That makes it quite clearer.
And we run into a problem: You cannot have any interface bound to two different bgroups at the same time. So, any subinterface with VLAN tag you create will not be able to communicate with untagged interfaces on the same subnet (on L2).
Considering the diagram you included, I have three more questions:
1. What is the default gateway address for ISP A and ISP B? (Same subnet, or a different subnet?)
2. Does your switch support VLANs? (I'm thinking everything should be on bgroup0/0 with two subinterfaces (VLAN 10, 192) and the switch can take care of what VLAN tags.)
3. Do you, by chance, have another small switch that supports VLANs?