ScreenOS Firewalls (NOT SRX)
Reply
Trusted Contributor
nikolay.semov
Posts: 164
Registered: ‎03-15-2012
0

Re: SSG5 and SSG140 - docs to setup VLAN

I think I'm lost. Could you please include some sort of a simple diagram and / or explanation of what subnet is on what VLAN, etc., etc.

Contributor
aurfalien
Posts: 18
Registered: ‎03-22-2012
0

Re: SSG5 and SSG140 - docs to setup VLAN

Cool, will post a diagram soon.

 

I don't have any VLANs yet, my APs do support them.

Contributor
aurfalien
Posts: 18
Registered: ‎03-22-2012
0

Re: SSG5 and SSG140 - docs to setup VLAN

Attached is a simple diagram.

 

Pictured is my SSG140 with 9 interfaces.  I labled them 0-9 but they are really 0/0 - 0/9.

 

Also, bgroup0 as labeled in the diagram is really bgroup 0/0 as per Juniper.

 

Interface 0 is connected to an ISP and is associated with bgroup0.

 

Interface 9 is connected to a different ISP and is associated with bgroup1.

 

Interface 1 which is bound to brgoup0 is connected to a switch which has a DHCP server connected to it.

 

Interface 8 is bound to bgroup1 but has nothing connected to it.

 

Interfaces 2,3,.4 have 3 WAPs connected for proper WiFi coverage as our facility is large with poor reception.

 

Each WAP is to support 2 SSIDs or 2 WiFi networks, the 10.0.10.0/16 network and the 192.168.1.0/24 network.

 

Since each WAP has only one ethernet but supports VLANs, I wanted to leverage this against the SSG140s capabilities in passing VLAN traffic to the correct network.

 

Does this make sense?

Contributor
aurfalien
Posts: 18
Registered: ‎03-22-2012
0

Re: SSG5 and SSG140 - docs to setup VLAN

Forgot to add that my SSG140 is also functioning as a DHCP server for the 192.168.1.0/24 network.

Trusted Contributor
nikolay.semov
Posts: 164
Registered: ‎03-15-2012
0

Re: SSG5 and SSG140 - docs to setup VLAN

That makes it quite clearer.

 

And we run into a problem: You cannot have any interface bound to two different bgroups at the same time. So, any subinterface with VLAN tag you create will not be able to communicate with untagged interfaces on the same subnet (on L2).

 

Considering the diagram you included, I have three more questions:

 

1. What is the default gateway address for ISP A and ISP B? (Same subnet, or a different subnet?)

2. Does your switch support VLANs? (I'm thinking everything should be on bgroup0/0 with two subinterfaces (VLAN 10, 192) and the switch can take care of what VLAN tags.)

3. Do you, by chance, have another small switch that supports VLANs?

Contributor
aurfalien
Posts: 18
Registered: ‎03-22-2012
0

Re: SSG5 and SSG140 - docs to setup VLAN

Hi,

 

Well, the SSG140 is not in production yet so I can redo any config to suite the requirements.

 

1. Both gateways have diff subnets.

2. My switch does support VLANs but is not configgured, its in 24/7 production currently.

 

Can I instead tag all interfaces on my SSG140?

 

If traffic leaves the SSG140 bound to my switch, is the VLAN tag still relevant as can I untag it at that point?

 

- aurf

 

Contributor
aurfalien
Posts: 18
Registered: ‎03-22-2012
0

Re: SSG5 and SSG140 - docs to setup VLAN

By the way, my Foundry switch is config'd as a simple layer 2 device, but I assume is has a default VLAN of some sort?

 

I suppose that if I found the default VLAN ID, I can tag traffic on bgroup0/10.0.10.0 as that VLAN?

Contributor
aurfalien
Posts: 18
Registered: ‎03-22-2012
0

Re: SSG5 and SSG140 - docs to setup VLAN

My default VLAN is 1 which all ports on my switch belong to.

 

I assume that if I tag bgroup0 with a VLAN ID of 1, I should be just fine?

 

And then tag bgroup1 with a diff VLAN as that traffic does not go into a switch of any kind, but rather stays between ISP b and the SSG140.

Trusted Contributor
nikolay.semov
Posts: 164
Registered: ‎03-15-2012
0

Re: SSG5 and SSG140 - docs to setup VLAN

And then tag bgroup1 with a diff VLAN as that traffic does not go into a switch of any kind, but rather stays between ISP b and the SSG140.

 You could do that, but then your ISP will have to give you the connection on a tagged VLAN.

 

You switch ports on VLAN 1 are in all likelihood not tagged.

 

Consider the following statements when you think of a solution:

 

1. You can configure a switch port (on a proper manged switch) to be part of one or more VLANs.

2. If you configure more than 1 VLAN on a switch port (i.e. trunk mode), then only one VLAN can be untagged on that port. The rest must be tagged.

3. If you configure just 1 VLAN on a switch port, you can have it untagged(i.e. access mode; default configuration on most switch ports), or tagged (i.e. trunk mode, with just one VLAN).

4. You can configure VLAN membership on switch ports independently from one another. That means that the same VLAN can be tagged on some ports, and untagged on others.

-----

 

That gives you a lot of flexibility on the switch. On the SSG140, unfortunately, you don't have as much flexibility. If you want to span a subnet / VLAN across multiple ports on the firewall (i.e. put these ports in a bgroup), then for a particular VLAN, either all ports must be tagged (i.e. a bgroup subinterface with VLAN tag specified), or all ports must be untagged (i.e. the main bgroup interface).

 

So, if, say, you put your WAPs on VLAN 10 for the 10.10.10.0/24 subnet, then if you add eth0/9 to the bgroup0.10 to connect to your ISP, that VLAN will still be tagged with VLAN tag 10 on eth0/9, which more than likely will be a no-no for your ISP.

 

Now, if your ISP is giving you an address of 1.2.3.1/28, for example, then you can configure that on eth0/9 (not part of bgroup), and we'll figure out later what needs to happen afterwards.

 

Going back to your wireless setup. You mentioned you can get your WAPs to tag the traffic from different SSIDs, right?  You could use VLAN tag 1 for the SSID that carries the 192.168.1.x subnet, and crreate a bgroup subinterface with tag 1, but then you'll have to configure your switch to have VLAN 1 tagged on the port that connects to your SSG140.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.