Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Divide a /24 public IP network

    Posted 06-30-2011 01:16

    I have a SSG5 and I need to setup a a few servers behind it with public IP adresses.

    The network is pretty simple, with a static IP on the SSG on the Untrust interface, and I have a few VLAN on  a Trust interface for servers and clients on the inside.

     

    From our ISP, we have received a whole /24 network, which is different from our static IP on the SSG it self. Until now, I have managed with MIP's on the Untrust interface, meaning NAT is in Place.
    Now I need to setup some servers with public IP's, which mean I can not use MIP anymore.

    Can someone please tell me how I can divide my /24 network i.e into 2 parts withour loosing my MIP setup?


    At the moment I have only used the 20 first IP adresses in the /24 network, and I would like to make it into 2 /25 network, but still retain the current config of MIP's.

    Until now, I have not used the DMZ zone at all, but thinking of putting the second half of my /24 network here, so I have ample amount of addresses to use for the future.

     

    Thanks for your help!



  • 2.  RE: Divide a /24 public IP network

    Posted 06-30-2011 04:10

    Hi,

     

    You will not loose the existing MIP setup if you assign the second half of the network to the DMZ. The /24-network is not assigned to any interface. It is simply routed by ISP to the untrust interface. The 20 first IPs, that means MIPs, are responding and performing NAT, the upper 128 addresses will be routed through the DMZ interface.



  • 3.  RE: Divide a /24 public IP network

    Posted 06-30-2011 04:35

    Thanks for your reply, i am a little new on Juniper, so thats why i just want to make sure that it will work.

     

    I understand that the ISP is routing the whole subnet for me, I just wonder how I can divide it my self into 2 half. Can I simply create a new subinterface on an existing port (in order to have VLAN tagging), put the IP i.e 10.10.10.127/25 and assign it to the DMZ zone?



  • 4.  RE: Divide a /24 public IP network
    Best Answer

    Posted 07-04-2011 01:24

    Hi,

     

    Yes, you can do it this way. But I would not recommend to mix the native/default VLAN and tagged VLANs on the same ethernet interface. So, if you have an addressed interface ethx/y do not create ethx/y.1. Use another interface and create a an numbered subinterface. You can also create ethx/y.1 and ethx/y.2 and move the IP of ethx/y to a new subinterface. A trunk should also be configured on the switch.



  • 5.  RE: Divide a /24 public IP network

    Posted 07-04-2011 01:29

    Thanks, I already tried it and it worked. I forgot to mention that all my existing networks are on subinterfaces already, so now I think I found the solution. I just created a new subinterface with a mask of /25 with interface IP x.x.x.129, thanks for your help!



  • 6.  RE: Divide a /24 public IP network

    Posted 02-27-2014 11:57

    Could you briefly explain how you did the division?

     

    And routing?