Screen OS

Hi,

I current have a flat network consisting of an SSG140 and some HP Procurve 2810 switches. There is now a requriement to split this up into several VLANs.

The 2810 switch is layer 2 and does not support IP routing between VLANs so I want the Juniper to handle the routing. If I understand it correctly I would need to create seperate sub interfaces for each of the requried VLANs on the juniper and tag these to the appropriate VLAN.

My question is we want to keep our current flat network assosiated to the trust interface intact and it has several secondary IP networks and a few hundred policies. Is there a way I can add a VLAN ID to my current trust interface (ethernet 0/9) and then create sub interfaces for the remaining VLANs. Or do i need to create a new null interface and then create all my VLANs as sub interfaces of the new interface?

You can create new sub-interfaces off of your currently configured eth0/9, no need to create the sub-interfaces off of a new interface bound to the null zone (albeit, it looks cleaner when done that way).  Your current eth0/9 interface will function as the untagged VLAN on that trunk interface and any new sub-interfaces you add off of it will funcation as tagged VLANs.

Great thanks.

That's working fine for my two new VLANs however my question now is can i tag a VLAN directly to the ethernet 0/9 interface or will this require creating a sub interface and migrating the settings?

Thanks

I don't believe you can tag a non-subinterface.  I've never seen the option and there doesn't appear to be the equivalent command:

SSG320M-> set int eth0/1 tag ?
                         ^------unknown keyword tag
SSG320M-> set int eth0/1.1 tag ?
<number>             tag number (range: 1 - 4094)

Hi,

Thanks. I thought that was the case but wanted to be sure. I've just added another sub interface and done a "find and replace" on the config file to changes all the rules and routing.

James