ScreenOS Firewalls (NOT SRX)
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
npgcable
Contributor
npgcable
Posts: 10
Registered: ‎05-11-2008
0

layer 2 VPN, is it possible? Design help

Options

‎08-19-2008 05:36 AM

Hello.

 

Is it possible to create a layer 2 vpn with SSG-5's? Here's my design challenge that I'm trying to overcome:

 

We have 4 seperate private networks: 10.10.10.1/24, 10.10.10.2/24, 10.10.10.3/24, 10.10.10.4/24.  Orignally, we created a mesh VPN network between the sites for the equipment living on those networks.  All was well, everyone got along, life was good. Now, we recently received a new system that needs installed. 

 

The system comprises of a "controller" server and mutliple video servers.  The video servers have to boot up using bootp and the  controller is the bootp server.  The controller lives in 10.10.10.1/24 and then 5 video servers live in each of the networks (for a total of 20).  Naturally, the video servers on the same network as the controller, work fine.  The others do not.  As expected, they don't get a bootp response from the controller, because they are on different networks.

 

So, my thought is:

 

1.  Install a bootp relay server (I'm invesitgating this, and that doesn't really apply here)

2.  Do the juniper SSG's do bootp relaying?

3.  Create a layer2 VPN (if it even exists) and make all the servers simply live on the same broadcast domain.  

 

Is there some really simple solution I'm missing out there?

 

Any help would be appreciated!

 

 

 

Message 1 of 5 (12,264 Views)
 
Reply
mmainer
Visitor
mmainer
Posts: 9
Registered: ‎01-29-2008
0

Re: layer 2 VPN, is it possible? Design help

Options

‎08-19-2008 10:01 AM

can't do l2vpns.  would require an mpls core (http://www.juniper.net/techpubs/software/erx/junose81/swconfig-bgp-mpls/html/l2vpn-config.html)

 

As for bootp never done that so can't tell you if it would work.  Wat version of ScreenOS are you using?  Can you just create a local dhcp service on each local ssg-5?

 

http://kb.juniper.net/ui.jsp?ui_mode=paging&charset=UTF-8&language=en-US&prior_transaction_id=1723583360&navigation_purpose=ANSWER&searchWithin=337642120&page=search_within_doc_page

 

good luck...

-Mike Mainer
Message 2 of 5 (12,251 Views)
 
Reply
npgcable
Contributor
npgcable
Posts: 10
Registered: ‎05-11-2008
0

Re: layer 2 VPN, is it possible? Design help

Options

‎08-19-2008 05:20 PM

We are running screenOS 6.0.0r6.

 

As for the dhcp server in each location, the bootp server is part of the "controller" device and a bootp server in every location is not a supported solution from the vendor.  The system is intended for all of the devices to live on the same broadcast domain.

Message 3 of 5 (12,237 Views)
 
Reply
Trusted Expert
Trusted Expert
AndyC
Posts: 441
Registered: ‎07-08-2008
0

Re: layer 2 VPN, is it possible? Design help

Options

‎08-20-2008 02:49 AM

Hi,

 

Not sure if this will work for your kit but it might be worth looking at DHCP relay on the netscreen firewalls. Have a look in the concepts and example manual Volume 2 page 233. I remember using if for some voip phones, but that was quite awhile ago.

 

Hope this is of help.

 

Regards

 

Andy

JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-ER
Message 4 of 5 (12,216 Views)
 
Reply
Trusted Contributor
Trusted Contributor
Arkus
Posts: 70
Registered: ‎02-11-2008
0

Re: layer 2 VPN, is it possible? Design help

Options

‎08-21-2008 05:12 AM

Hi npgcable,

 

VPNs are possible, but only for traffic encapsulated with layer 3 information. Since Bootp packets can be encapsulated, they can be processed by the VPN tunnel. All IP traffic can be.


The subnets are all the same, which makes things a little more challenging. You would need to look at translating the source and destination IP addresses of the packets as they traverse the firewall. Because you require this network address translating, you need the firewalls to operate in route/nat mode, so you need to look at a normal IPsec VPN.

 

Regards,

A.

Message 5 of 5 (12,178 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.