Screen OS

Hello,

i have a ssg5 Version 6.3.0 and try to get a dhcp address from a taged sub int.

config:

eth0/4 0.0.0.0/0 NUll

eth0/4.1 192.168.20.1/24 zone 3 tag 3

eth0/4.1 dhcp service server (gw 192.168.20.1 255.255.255.0) lease 1 day

eth0/4.1 dhcp list : type dynamic from 192.168.20.10 - 192.168.20.100

when i connect my notebook with port eth0/4 i receive no ip adress.

--------------

i tried the dhcp configuration with eth0/4 and it worked, but i need to go with sub int because i need to tag it with vlan 3.

any suggestions?

thanks!

Your config looks correct but you test will not work.  Your laptop is not able to process tagged traffic.  You would need to test with the equipment that can recognize a vlan tag as destined for the device.  

Hi Kc,

I do agree with Steve that laptop's NIC wont be able to understand VLAN which is causing this issue.

Can you please let us know the requirement of VLAN tag even when there is no switch in the path and there is direct connection?

This would help us suggest you a better solution.

Regards,

RIshi

hi,

thanks for your quick respone.

the goal is, to seperate guest and internal wifi.

hardware setup : cisco wap321 poe -> cisco 200-50p -> ssg5 eth0/4 -> ISP Router

i`m trying to get for our guest wifi (vlan 3 tag) ip adresses via ssg5 sub int.

we`re using a cisco wap321 with 2 ssid`s - vlan 1 internal and vlan 3 guest - connected to a cisco 200-50p with default vlan 1 and vlan 3 for guest - connectet to ssg5 port eth4.

Regards,

chris

Thanks for the clarification on the scenario.  I have setup a similar operation in the past to Cisco WAP using the tagged interface.  This is a sample configuration that worked for the DHCP server in that setup.  Just change the interfaces and addresses per your needs.

set interface ethernet0/6.1 tag 3 zone "guest"
set interface ethernet0/6.1 ip 172.16.1.1/24
set interface ethernet0/6.1 route
set interface ethernet0/6.1 ip manageable
set interface ethernet0/6.1 manage ping
set interface ethernet0/6.1 manage snmp
set interface ethernet0/6.1 dhcp server service
set interface ethernet0/6.1 dhcp server auto
set interface ethernet0/6.1 dhcp server option lease 1440 
set interface ethernet0/6.1 dhcp server option gateway 172.16.1.1 
set interface ethernet0/6.1 dhcp server option netmask 255.255.255.0 
set interface ethernet0/6.1 dhcp server option dns1 8.8.8.78 
set interface ethernet0/6.1 dhcp server option dns2 8.8.4.4 
unset interface ethernet0/6.1 dhcp server config next-server-ip
unset interface ethernet0/6.1 dhcp server config updatable

thanks i`ll try it asap:

sgg5 configuration looks like this now:

ethernet0/4 - 0.0.0.0/0 Null Unused Up
ethernet0/4.1 3 172.16.1.1/24 zone3 Layer3 Up

dhcp range 172.16.1.20 - 172.16.1.100

Regards

ps. it is working now so far - another question:

i made a policy zone3 to untrust allow any any but i cannot get out into internet..

add source nat to the egress interface in the advanced tab of the policy.

set policy id 45 from "guest" to "Untrust"  "Any-IPv4" "Any-IPv4" "ANY" nat src permit log

i added the policy, but i still have no Internet Connection, only with intern vlan 1 ....

when i put the interface to zone "trust" it works - so there is a problem with my created zone "zone3".

-> i created a new zone guest, added the same policy and no it works fine!

thanks steve for your help - i really appreciate it !

Glad you have it all worked out.