08-19-2008 05:36 AM
Is it possible to create a layer 2 vpn with SSG-5's? Here's my design challenge that I'm trying to overcome:
We have 4 seperate private networks: 10.10.10.1/24, 10.10.10.2/24, 10.10.10.3/24, 10.10.10.4/24. Orignally, we created a mesh VPN network between the sites for the equipment living on those networks. All was well, everyone got along, life was good. Now, we recently received a new system that needs installed.
The system comprises of a "controller" server and mutliple video servers. The video servers have to boot up using bootp and the controller is the bootp server. The controller lives in 10.10.10.1/24 and then 5 video servers live in each of the networks (for a total of 20). Naturally, the video servers on the same network as the controller, work fine. The others do not. As expected, they don't get a bootp response from the controller, because they are on different networks.
So, my thought is:
1. Install a bootp relay server (I'm invesitgating this, and that doesn't really apply here)
2. Do the juniper SSG's do bootp relaying?
3. Create a layer2 VPN (if it even exists) and make all the servers simply live on the same broadcast domain.
Is there some really simple solution I'm missing out there?
Any help would be appreciated!
08-19-2008 10:01 AM
can't do l2vpns. would require an mpls core (http://www.juniper.net/techpubs/software/erx/junose81/swconfig-bgp-mpls/html/l2vpn-config.html)
As for bootp never done that so can't tell you if it would work. Wat version of ScreenOS are you using? Can you just create a local dhcp service on each local ssg-5?
08-19-2008 05:20 PM
We are running screenOS 6.0.0r6.
As for the dhcp server in each location, the bootp server is part of the "controller" device and a bootp server in every location is not a supported solution from the vendor. The system is intended for all of the devices to live on the same broadcast domain.
08-20-2008 02:49 AM
Not sure if this will work for your kit but it might be worth looking at DHCP relay on the netscreen firewalls. Have a look in the concepts and example manual Volume 2 page 233. I remember using if for some voip phones, but that was quite awhile ago.
Hope this is of help.
08-21-2008 05:12 AM
VPNs are possible, but only for traffic encapsulated with layer 3 information. Since Bootp packets can be encapsulated, they can be processed by the VPN tunnel. All IP traffic can be.
The subnets are all the same, which makes things a little more challenging. You would need to look at translating the source and destination IP addresses of the packets as they traverse the firewall. Because you require this network address translating, you need the firewalls to operate in route/nat mode, so you need to look at a normal IPsec VPN.