Screen OS

Hello,

I have a HP Procurve 1810G switch that is connected to interface 0/4 of a SSG-20. The network on the interface is 10.0.100.0/24.

Because of additional security requirements I need to split this subnet into seperate VLANs.

The VLANs are:

- VLAN2 = Management

- VLAN3 = Trusted

- VLAN4 = Private1

- VLAN5 = Private2

- ...

It is a requirement that some of the devices in VLAN4 and VLAN5 are able to connect to devices in VLAN2 because this is the VLAN were the DNS servers are. My problem is a combination of tagging on the switch and configuring the port on the SSG20. How should I set the ports on the switch that connect the VLAN devices to be able to connect between VLANs? Tagged or Untagged? I would say tagged for all VLANs that require access to the port and excluded for all that don't have access.

I was adviced to use sub interfaces on interface 0/4 of the SSG-20. When I try to set this up I get an error while creating the second sub interfaces saying that there is an illegal overlapping of subnets. This is in some way logical because my VLANs all are in the same subnet. How should I configure this on the SSG-20? Or is this suggested solution not the way how to do it?

Hi,

This might help you:

set vrouter name_str ignore-subnet-conflict

If you attach all subinterfaces (tagged) to the same security zone, and activate intrazone traffic blocking (set zone zone block), you will be able to filter traffic between the VLANs using the intrazone policies.

It is also possible to attach these subinterfaces to different zones that are attached to the same VR with ignore-subnet-conflict enabled (I did not try this).

Kind regards,

Edouard

This is it indeed! Many thanks!

Hello All.

On a SSG 20 running 6.3.0r5.0 I had to enter:

set vrouter "trust-vr " ignore-subnet-conflict

Regards.