ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Using SSG5 to extend a broadcast domain

‎11-16-2010 10:59 AM

Here is the scenario.  I have some devices outside of a physical secure area (outside the fence) connected via a switch and fiber to inside the secure area (inside the fence).  Because of how the system is setup, the network is a stand-alone flat network, one broadcast domain.  No routing, etc. (wasn't my design, unfortunately).  Now with new security rules, I have to protect the secure devices from unauthorized devices that could potentially be connected to the "unsecured" switch.  How can I bridge or extend the broadcast domain across the SSG-5?  I found an article titled "Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products" Link to Article, but it's not quite what I'm looking for.  Any ideas?

ScreenOS Firewalls (NOT SRX)

Re: Using SSG5 to extend a broadcast domain

‎11-16-2010 03:39 PM

I am having trouble visualizing your setup.  If I understand correctly you have some switches that have potentially unsecured devices and switches that have your secured devices on the same LAN.  But there is also an SSG device here.


You want to write policies that apply to the "unsecured" devices trying to access the secured devices.


First you would need to physically connect the devices that insured any request from the unsecured switch must transit the SSG5.  This means the two groups of switches can ONLY have a path to each other via ports on the SSG5.


Next you would need to tag the security zone to "block intra-zone traffic" as part of its properties.


Now you can create zone to same zone rules that you want to apply.


These rules can only apply to traffic that the SSG5 actually sees.  Since you have these switches out there that are all in the same layer 2 domain the devices will see each other and communicate directly without blocks unless the only path to the other device is through the SSG5.


I hope this helps and I didn't miss the point.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
ScreenOS Firewalls (NOT SRX)

Re: Using SSG5 to extend a broadcast domain

‎11-18-2010 01:51 PM

The site-to-site vpn with overlapping subnets is only useful if you need to route between two networks that have the same set of IP addresses.  Since this is not technically possible due to the fact you have to cross a layer 3 hop, you have to do some fancy DIP'ing to get that to work.


From my understanding of what you asked, the best way to do it is to leave the networj the way it is and deploy the firewall in layer 2 (transparent) mode, and use it to firewall on the wire.  I think that will accomplish what you need to.


If you look on page 80 of the Screenos Fundamentals Guide, you should get a decent idea of what I am talking about.


Hope that helps!

ScreenOS Firewalls (NOT SRX)

Re: Using SSG5 to extend a broadcast domain

‎01-12-2011 06:29 AM

Shortly after I posted this question, I found the Transparent mode section in the manual.  That worked well using the example starting on page 92.


Basically I have an IP camera and another device in a physically unsecure area that need to send data to a secure area.  So I have just a few policies controlling that traffic on a network.


Now for a follow-up question.  Now I need to do the same for a few more devices on a network.  I would like to use the same firewall, just setup another pair of unused ports on it.  But I seem to be having problems creating a second vlan.  I see that I need to create a zone first, but I can't create a vlan zone (or I don't understand the terms right).