ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

ScreenOS - SSG20 to Cisco switch trunk

‎10-12-2011 06:15 AM

Hi, I'm trying to establish a trunk between SSG20 and Cisco 2950. I have a trunk port on my cisco allowing VLANs 100,990.

My subinterfaces on the Juniper are:

set zone id 109 "VLAN990"
set zone id 100 "VLAN100"
set interface ethernet0/4.1 tag 100 zone "VLAN100"
set interface ethernet0/4.1 ip
set interface ethernet0/4.1 route
set interface ethernet0/4.2 tag 990 zone "VLAN990"
set interface ethernet0/4.2 ip
set interface ethernet0/4.2 route
However, the trunk doesn't appear to be working as I can't PING IPs on the either side of the network, i.e from Juniper I can't see IPs on the Cisco side and vice versa.

- full config is attached



ScreenOS Firewalls (NOT SRX)

Re: ScreenOS - SSG20 to Cisco switch trunk

‎10-14-2011 03:50 PM

You interface tagging configuration looks correct.  But I don't see any policies setup for your two associated zones.  If you are not sourcing the ping from the same zone to the same zone it will be blocked without a policy setup for it.  You will need to create the trust to vlan100 or vlan990 policy to allow the traffic.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
ScreenOS Firewalls (NOT SRX)

Re: ScreenOS - SSG20 to Cisco switch trunk

[ Edited ]
‎10-15-2011 04:30 AM

Also if you want to ping the SSG interfaces you need to allow it by following command:

set interface eth0/4.1 manage ping

set interface eth0/4.2 manage ping


Also setting ping allowed globally is a good idea when setting up new things, you can always remove it lateron.

set policy global top any-ipv4 any-ipv4 ping permit log


Also if your routing is not setup correctly at this point you might want to test the ping from SSG cli to Cisco:

ping from eth0/4.1 (Of course assuming is Cisco) :-)

Tero S