Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  ScreenOS 6.3.x VLAN setup help (using 3rd party AP with multi VLAN Support)

    Posted 03-15-2014 10:48

    Hey all,

     

    I'm not new to VLANs, as I use them at home with my NS-25 - but I have a managed switch split the VLANs to each port of my NS-25.

     

    I have an SSG-5-W I'm setting up and I'd like to move the VLAN magic inside the box.

     

    I have bgroup0 on zone Trust containing eth 0/1-6 and wireless0/0

     

    I created a zone "guest-wifi".

    I also created a guest-wifi SSID in the wireless settings.

    On the AP, the SSID guest-wifi is going to be VLAN2 (tagged) while the main SSID will be untagged.

     

    On the SSG-5, I'd like wireless 0/1 and VLAN2 to be in the Guest-WiFi zone, but I'm not quite sure how to go about binding that up.

     

    I see how to create sub-interfaces and assign a VLAN ID, but am not seeing how I can bring that back to the same zone that would provide a DHCP served address by the SSG-5.

     

    What's the best way to do this on the SSG?

     

    Thanks,

     

      -Ben



  • 2.  RE: ScreenOS 6.3.x VLAN setup help (using 3rd party AP with multi VLAN Support)

    Posted 03-15-2014 11:30

    as a followup,

     

     it looks as simple as making a subinterface for my bgroup0 as bgroup0.2 (and tagging VLAN2) and adding it to Zone "Guest-Wifi" while leaving the IP's at all 0's.

     

    Then building my bgroup1 and giving it all the normal IP addressing stuff -- AND adding wireless 0/1 to the group.

     

    Will test -- but any sanity check from someone whose done this would be great.

     

     -Ben



  • 3.  RE: ScreenOS 6.3.x VLAN setup help (using 3rd party AP with multi VLAN Support)

    Posted 03-15-2014 14:46

    You have the process all correct for getting the tagged vlans.  Your main bgroup subnet will be untagged on that same port.  So on the switch you may have to account for that.

     

    But since you have an SSG5 wireless I'm wondering why you don't just create a second ssid and wireless interface right on the box.  This can support up to four active SSID.  You could place that seocnd wireless interface in its own guest zone and give it independent access without any addtional equipment.



  • 4.  RE: ScreenOS 6.3.x VLAN setup help (using 3rd party AP with multi VLAN Support)

    Posted 03-15-2014 17:50

    Hi Steve,

     

     I plan on doing just that.

     

    I'd like to use the wireless locally to offer guest wifi and "internal  network" wifi -- but also want to remote another AP outside for some outdoor coverage.

    There's only 1 ethernet coming from this AP which does support up to 4 VLANs (and SSIDs)

     

    So I need one of the ethernet jacks to be part of the bgroup0 (trusteed "internal network") untagged on VLAN1 while VLAN2 is tagged. (and terminates to the "Guest-WiFi" zone -- somehow on bgroup1)

    I have it configured like I mentioned -- I just worry my VLAN2 (which has an IP now and shows up on the DHCP section) is being set up as a wholly separate interface needing it's own network number and that's not what I want.

    I hope I'm making sense... 

    Just get the feeling it's  not going to work with bgroup0.2 looking like it needs an IP address even though it's part of zone "Guest-WiFi".

    Let me know and thanks,

     

     -Ben



  • 5.  RE: ScreenOS 6.3.x VLAN setup help (using 3rd party AP with multi VLAN Support)
    Best Answer

    Posted 03-16-2014 04:56

    I see now the issue now.  I did have the same setup once in a site.

     

    The issue is that zone can and does apply to multiple network segments.  So assigning your sub-interface and your wireless guest interface to the same zone does not bridge them into the same network segment.  It only applies the same policies to these two interfaces.

     

    The bgroup (bridge group) is how we bridge two interfaces into the same segment.  This is the technique you are using when you add the home wireless interface into the bgroup with the home ethernet connections.

     

    However, you cannot add a sub-interface into a bgroup.  This feature is not available.

     

    So you correctly identified one option.  You create a new network segment with its own DHCP server and assign this to the sub-interface for your outside WAP.  With the zone assignment of guest it will use the same nat and security rules that the internal wireless interface does, but will be  a separate network segment.

     

    The only other option I found was to use an external vlan capable switch with the following setup.

     

    Create a bgroup with the internal wireless segment and one ethernet interface

    Connect this to an access port on the switch set to the same vlan as your tagged traffic from the wap

    Create a trunk port on the switch with the untagged vlan as your home network fo the mgmt ip of the wap and a tagged vlan with the correct vlan-id for the guest traffic

     

    This setup separates the mgmt for the guest wireless on the wap and forwards them back to the SSG on the two different lines connecting the SSG to the managed switch.

     

    The setup burns two more ethernet ports but it does work.



  • 6.  RE: ScreenOS 6.3.x VLAN setup help (using 3rd party AP with multi VLAN Support)

    Posted 03-16-2014 10:39

    Thanks for the verification Steve.

     

    When I couldn't bind the sub-if to the bgroup1 (guest-wifi), I had a feeling that would be the result.

    Ok - that's what I needed to know.

     

    I'll figure something out.

     

    Thanks again,

     

     -Ben