Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  VLAN tagging

    Posted 11-03-2015 07:57

    We have an SSG5 and have recently purchased some WAPs that can do VLAN tagging. What I want to have are 3 SSIDs. One for company equipment, one for staff smartphones, and one for guests. The company equipment is to get full access to the network, the staff smartphones should have internet access and access to an internal website, and guests should just get internet access. 

     

    My thoughts on how this would work is as follows. Create 2 sub interfaces for bgroup0 (where most of our interfaces are linked under) and assign a vlan tagging number for each. Create a new zone for each sub interface. Create poliicies to give the guest zone access to the internet and create policies so that the staff smartphone zone has access to the internet and the webserver.

     

    Will this work, or am I missing something? And how would I go about doing this through SSH? 



  • 2.  RE: VLAN tagging
    Best Answer

    Posted 11-03-2015 09:17

    That should work.

     

    set zone guest

    set zone phones

    set zone equipment

     

    set interface bg0.1 tag 1 zone equipment

    set interface bg0.2 tag 2 zone phones

    set interface bg0.3 tag 3 zone guest

    set interface bg0.1 ip x.x.x.a/24

    set interface bg0.2 ip x.x.x.b/24

    set interface bg0.3 ip x.x.x.c/24

     

    set policy from equipment to <zone> any any any permit

    set policy from equipment to untrust any any any permit nat src

    set policy from guest to untrust any any any permit nat src

    set policy from phones to untrust any any any permit nat src

    ....

     

     

     



  • 3.  RE: VLAN tagging

    Posted 11-03-2015 10:41

    Thanks! Do I have to create a sub interface for the company equipment traffic? I assumed that if I left it, it would just get treated like the currenty traffic on bgroup0.

     

    Also, I can set my ip range for the sub interfaces completely different from my bgroup0 ip range, correct?



  • 4.  RE: VLAN tagging

    Posted 11-03-2015 10:45

    If you do not create a vlan for the equipment, your AP will need to pass it untagged to the firewall.  It would then be treated as any other traffic on bg0.

     

    Each sub interface will have its own subnet.  You can use say 10.1.1.1 for bg0.1 and 172.22.1.1 for bg0.2 if you would like.

     

    Although, you cannot have overlapping subnets (unless you enable it in the VR, but that can cause issues).



  • 5.  RE: VLAN tagging

    Posted 11-04-2015 07:42

    I got the staff one setup now, and so far everything seems to be good. I forgot to setup DHCP at first, haha, but now I've got that all figured out and policies allowing access to the resources they need.