ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 18
Registered: ‎03-22-2012
0 Kudos

SSG5 and SSG140 - docs to setup VLAN

Hi all,

 

Would any one mind pointing to were I can get documentation specific for setting up VLANs on my SSG5 and SSG140?

 

I suspect the same doc will apply to both as they run ScreenOS but I just wanted to be through in my product description.

 

I would like some of the same interfaces on my SSGs to support 2 diff networks.

 

Thanks in advance.

Recognized Expert
Posts: 484
Registered: ‎03-15-2012
0 Kudos

Re: SSG5 and SSG140 - docs to setup VLAN

Hi,

 

You can refer the C&E guide, volume 2

 

http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_fundamentals.pdf

 

Thanks,

Hardeep

Distinguished Expert
Posts: 4,116
Registered: ‎03-30-2009
0 Kudos

Re: SSG5 and SSG140 - docs to setup VLAN

The ScreenOS terminology for this is "sub-interface"  VLAN in the interface is only used in transparent mode for the box management.  The basic steps are to create a sub-interface and assign the vlan tag and the zone.  You can also give this an ip address if needed.

 

To set a vlan on an interface, use:
unset int e0/1 IP
unset int e0/1 zone
set zone name zone10
set zone name zone20
set interface ethernet0/1.1 tag 10 zone zone10
set interface ethernet0/1.2 tag 20 zone zone20
set interface ethernet0/1.1 ip 192.168.10.1/24
set interface ethernet0/1.2 ip 192.168.20.1/24

 

For the instructions on implementing vlan subinterfaces you'll need the screenos documentation for the version loaded on your device. 

 

The configuration of vlans is covered in volume 10 "Virtual Systems".


http://www.juniper.net/techpubs/software/screenos/screenos6.2.0/index.html

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV JNCIS-SSL JNCDA
JNCIS-SP
ACE PanOS 6
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Contributor
Posts: 18
Registered: ‎03-22-2012
0 Kudos

Re: SSG5 and SSG140 - docs to setup VLAN

Thanks very much, greatly appreciated.

 

- aurfalien

Contributor
Posts: 18
Registered: ‎03-22-2012
0 Kudos

Re: SSG5 and SSG140 - docs to setup VLAN

Hi,

 

Since I am using bgroups and assingning physical ports to them, can I create subinterfaces on my unused ports and assign a subinterface to a bgroup?

 

For example, I have;

 

bgroup0 and bgroup1

2 untrust ports, each to a different ISP (WAN).

I have several spare ports currently split to bgroup0 and 1 and are trusted (LAN).

 

I assume that I would;

 

1) Take a few of those currenlty assigned trusted physical ports and un assign them from bgroup0 and/or 1.

2) Create 2 subinterfaces on each physical interface.

3) Assign each subinterface to its respective bgroup.

 

- aurf

 

Distinguished Expert
Posts: 4,116
Registered: ‎03-30-2009
0 Kudos

Re: SSG5 and SSG140 - docs to setup VLAN

No, unfortunately subinterfaces cannot belong to a bgroup.

 

I have not tested this, but you could try this

 

  • Put the subinterface into the same zone as your bgroup
  • leave the ip address unfigured so the interface is layer 2

Then see if the devices on the bgroup can see those on the subinterface vlan connection.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV JNCIS-SSL JNCDA
JNCIS-SP
ACE PanOS 6
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Super Contributor
Posts: 180
Registered: ‎03-15-2012
0 Kudos

Re: SSG5 and SSG140 - docs to setup VLAN

Leave the interfaces bound to the bgroup, and then create a subinterface of the bgroup itself.

Contributor
Posts: 18
Registered: ‎03-22-2012
0 Kudos

Re: SSG5 and SSG140 - docs to setup VLAN

Wow, seems like a very eleganty solution.

 

TAC couldn't really help me on this one.

 

Would I need a static route or will packets route?

 

I have a DHCP server on bgroup0 and wondering if bgroup0.1 will get DHCP passed through it?

 

I would assume that no static route is needed because its a sub bgroup so we have properties that are inherited from its bgroup parent of sorts?

 

Thanks again for the post, the sub bgroup is very very slick!

 

- aurf

Super Contributor
Posts: 180
Registered: ‎03-15-2012
0 Kudos

Re: SSG5 and SSG140 - docs to setup VLAN

No, you do not need static routes. Connected routes are automatically installed for the subnets defined on your subinterfaces.

 

As for DHCP, you'll need to enable DHCP server on each on the subinterfaces for each of the corresponding subnet where you need DHCP service.

Contributor
Posts: 18
Registered: ‎03-22-2012
0 Kudos

Re: SSG5 and SSG140 - docs to setup VLAN

Thing is that I already have a DHCP server on that network so is it possible to pass traffic to the sub bgroup?

 

So for example I have 2 bgroups;

 

bgroup0

10.0.10.1/16

 

bgroup1

192.168.1.1/24

 

I then create bgroup0.1 to have 192.168.1.2/24 with as vlan tag of 20.

 

And bgroup 1.1 to have 10.0.10.2/16 with a vlan tag of 10.

 

I have a DHCP server some where on bgroup0 that I would like to reach bgroup1.1.

 

Like wise, I also have a DHCP server on brgoup1 that I would like to reach bgroup0.1.

 

What I am trying to achieve is a WiFi AP capable of supporting a few diff networks via VLANs and having my physical interface support both LANs in house; 10.0.10.0/16 and 192.168.1.0/24.

 

- aurf

 

 

Super Contributor
Posts: 180
Registered: ‎03-15-2012
0 Kudos

Re: SSG5 and SSG140 - docs to setup VLAN

I think I'm lost. Could you please include some sort of a simple diagram and / or explanation of what subnet is on what VLAN, etc., etc.

Highlighted
Contributor
Posts: 18
Registered: ‎03-22-2012
0 Kudos

Re: SSG5 and SSG140 - docs to setup VLAN

Cool, will post a diagram soon.

 

I don't have any VLANs yet, my APs do support them.

Contributor
Posts: 18
Registered: ‎03-22-2012
0 Kudos

Re: SSG5 and SSG140 - docs to setup VLAN

Attached is a simple diagram.

 

Pictured is my SSG140 with 9 interfaces.  I labled them 0-9 but they are really 0/0 - 0/9.

 

Also, bgroup0 as labeled in the diagram is really bgroup 0/0 as per Juniper.

 

Interface 0 is connected to an ISP and is associated with bgroup0.

 

Interface 9 is connected to a different ISP and is associated with bgroup1.

 

Interface 1 which is bound to brgoup0 is connected to a switch which has a DHCP server connected to it.

 

Interface 8 is bound to bgroup1 but has nothing connected to it.

 

Interfaces 2,3,.4 have 3 WAPs connected for proper WiFi coverage as our facility is large with poor reception.

 

Each WAP is to support 2 SSIDs or 2 WiFi networks, the 10.0.10.0/16 network and the 192.168.1.0/24 network.

 

Since each WAP has only one ethernet but supports VLANs, I wanted to leverage this against the SSG140s capabilities in passing VLAN traffic to the correct network.

 

Does this make sense?

Contributor
Posts: 18
Registered: ‎03-22-2012
0 Kudos

Re: SSG5 and SSG140 - docs to setup VLAN

Forgot to add that my SSG140 is also functioning as a DHCP server for the 192.168.1.0/24 network.

Super Contributor
Posts: 180
Registered: ‎03-15-2012
0 Kudos

Re: SSG5 and SSG140 - docs to setup VLAN

That makes it quite clearer.

 

And we run into a problem: You cannot have any interface bound to two different bgroups at the same time. So, any subinterface with VLAN tag you create will not be able to communicate with untagged interfaces on the same subnet (on L2).

 

Considering the diagram you included, I have three more questions:

 

1. What is the default gateway address for ISP A and ISP B? (Same subnet, or a different subnet?)

2. Does your switch support VLANs? (I'm thinking everything should be on bgroup0/0 with two subinterfaces (VLAN 10, 192) and the switch can take care of what VLAN tags.)

3. Do you, by chance, have another small switch that supports VLANs?

Contributor
Posts: 18
Registered: ‎03-22-2012
0 Kudos

Re: SSG5 and SSG140 - docs to setup VLAN

Hi,

 

Well, the SSG140 is not in production yet so I can redo any config to suite the requirements.

 

1. Both gateways have diff subnets.

2. My switch does support VLANs but is not configgured, its in 24/7 production currently.

 

Can I instead tag all interfaces on my SSG140?

 

If traffic leaves the SSG140 bound to my switch, is the VLAN tag still relevant as can I untag it at that point?

 

- aurf

 

Contributor
Posts: 18
Registered: ‎03-22-2012
0 Kudos

Re: SSG5 and SSG140 - docs to setup VLAN

By the way, my Foundry switch is config'd as a simple layer 2 device, but I assume is has a default VLAN of some sort?

 

I suppose that if I found the default VLAN ID, I can tag traffic on bgroup0/10.0.10.0 as that VLAN?

Contributor
Posts: 18
Registered: ‎03-22-2012
0 Kudos

Re: SSG5 and SSG140 - docs to setup VLAN

My default VLAN is 1 which all ports on my switch belong to.

 

I assume that if I tag bgroup0 with a VLAN ID of 1, I should be just fine?

 

And then tag bgroup1 with a diff VLAN as that traffic does not go into a switch of any kind, but rather stays between ISP b and the SSG140.

Super Contributor
Posts: 180
Registered: ‎03-15-2012
0 Kudos

Re: SSG5 and SSG140 - docs to setup VLAN

And then tag bgroup1 with a diff VLAN as that traffic does not go into a switch of any kind, but rather stays between ISP b and the SSG140.

 You could do that, but then your ISP will have to give you the connection on a tagged VLAN.

 

You switch ports on VLAN 1 are in all likelihood not tagged.

 

Consider the following statements when you think of a solution:

 

1. You can configure a switch port (on a proper manged switch) to be part of one or more VLANs.

2. If you configure more than 1 VLAN on a switch port (i.e. trunk mode), then only one VLAN can be untagged on that port. The rest must be tagged.

3. If you configure just 1 VLAN on a switch port, you can have it untagged(i.e. access mode; default configuration on most switch ports), or tagged (i.e. trunk mode, with just one VLAN).

4. You can configure VLAN membership on switch ports independently from one another. That means that the same VLAN can be tagged on some ports, and untagged on others.

-----

 

That gives you a lot of flexibility on the switch. On the SSG140, unfortunately, you don't have as much flexibility. If you want to span a subnet / VLAN across multiple ports on the firewall (i.e. put these ports in a bgroup), then for a particular VLAN, either all ports must be tagged (i.e. a bgroup subinterface with VLAN tag specified), or all ports must be untagged (i.e. the main bgroup interface).

 

So, if, say, you put your WAPs on VLAN 10 for the 10.10.10.0/24 subnet, then if you add eth0/9 to the bgroup0.10 to connect to your ISP, that VLAN will still be tagged with VLAN tag 10 on eth0/9, which more than likely will be a no-no for your ISP.

 

Now, if your ISP is giving you an address of 1.2.3.1/28, for example, then you can configure that on eth0/9 (not part of bgroup), and we'll figure out later what needs to happen afterwards.

 

Going back to your wireless setup. You mentioned you can get your WAPs to tag the traffic from different SSIDs, right?  You could use VLAN tag 1 for the SSID that carries the 192.168.1.x subnet, and crreate a bgroup subinterface with tag 1, but then you'll have to configure your switch to have VLAN 1 tagged on the port that connects to your SSG140.