Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  To be enabled VLAN 1 in SSG550M - Reg

    Posted 03-26-2014 12:53

    Hi,

     

               I have configured 4 cisco switches with default VLAN 1 and IP addresses are IP 10.1.1.2/24, IP 10.1.1.3/24, IP 10.1.1.4/24, IP 10.1.1.5 and IP Default-gateway of each switch is IP 10.1.1.1. The IP address 10.1.1.1 is Trust Zone's interface of my firewall. I have no other VLANs configured in these switches.

    I am using SSG 550M firewall. And i am using 3 interfaces of the firewall.
    1.Trust Zone - IP 10.1.1.1/24
    2.Untrust Zone - IP 10.2.2.1/24
    3.Zone "Null" but i configured 3 sub-interfaces and trunked in one of a cisco switch for ISP link termination.

    The VLAN 1 is disabled in my firewall currently.

    My situation is, I am planing to enable VLAN 1 in Firewall and assign IP address 10.1.1.6/25 which is using the SUBNET of  Trust Zone for Management purpose.

    My question is that "Can i enable the VLAN 1 in my firewall and can i use the Trust Zone's interface IP (10.1.1.6/24) range.

    Is any problem will occur in the switches and firewall operation.

    I waiting for your good reply to implement in my network.

    Regards

    Sasikumar



  • 2.  RE: To be enabled VLAN 1 in SSG550M - Reg

    Posted 03-26-2014 18:51

    hi,

      do you have other interfaces in your ssg 550m? uPIM?

     

      i would recommend to have additional pims so you can assigned each ports for isps as well as your required zones for the vlans. (to get things easier, since default port is only 100gb copper)

     

       VLAN1 by default is used for screenos transparent mode deployment.

     

      Once you assigned individual ports on respective isps, you can have them active/active mode by utilizing multiple virtual routers and source-routing (trust-vr to isp1-vr, isp2-vr, isp3-vr).

     

    //

    dwayne



  • 3.  RE: To be enabled VLAN 1 in SSG550M - Reg
    Best Answer

    Posted 03-27-2014 14:01

    The VLAN 1 interface can only be used when the firewall is deployed in transparent mode.  In your normal layer 3 deployment this interface is not used.

     

    I assume you want to setup a management address for the firewall.  You would probably use the loopback interface for this purpose instead.

     

    Or if you do want this in the same range as your existing trust interface, then just configure the separate address as the management  address on the trust interface.  Then all the protocols you select for management on this interface will be accessed by this second address instead of hte interface address.