INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

SSG20 VLAN SUB I/F CONFIG PROBLEM SCREEN OS 6.1.0R2

SSG20 VLAN SUB I/F CONFIG PROBLEM SCREEN OS 6.1.0R2

(OP)
I am trying to configure VLAN 3 to ride on E0/2 I/F, but it does not work. First, I defined zone 100 for the trust-vr Sec L3, and bound it to BG1, which became BG1.3. Then assigned DHCP with IP assignments. E0/2 is bound to BG1. I have a C2950G switch connected to E0/2 and ports FA0/21 - 24 are assigned to VLAN 3. With that arrangement the only thing that works is the DHCP. When I connect a computer to port 21 thru 24, it gets an IP address for VLAN 3 from the DHCP server, but nothing else works! I can PING BG1.3, but nothing else, no connections! The default Policy 1 -ANY TO ANY exists in the table. So I thought may be the Sub I/F needs to be bound to zone 100 directly without BG1.3. So I deleted BG1.3 and tried using both the WEBUI and CLI to configure E0/2.3 and assign IP 10.10.11.1/24 to the Sub I/F, but E0/2 does not show in the list when I try to create a new Sub I/F. Then I tried using CLI with the SET INTERFACE command, and that was worse. SSG20 CLI did not recognize any of the formats or syntax that are in the examples I followed in the documentation. Where does one find a list of valid CLI COMMANDS for the SSG20 that work? Or is there some other method I should be using to make this work to share E0/2 with VLAN 3?

I am completely baffled at this point...

Thanks in advance for any help!

....JIM....

 

RE: SSG20 VLAN SUB I/F CONFIG PROBLEM SCREEN OS 6.1.0R2

Don't forget the basic relationship heirarchy - A ZONE is assigned to a VR, An INTerface is assigned to a zone, and an IP is assigned to an interface. Nowhere in there does it mention VLANs, as the SSG and ScreenOS really don't operate in that fashion (very well, anyway from my experience). Usually when someone references VLAN in ScreenOS I think of Layer 2 transparent. From what I can gather you've combined Transparent and L3 interfaces. When you deleted BGroup1.3 you put E2 back in the NULL zone, where you can't assign it an IP Address.

Some questions:

What else is/was in BGroup1 besides E2?

On the 2950, are ports 21-24 trunk ports or tagging VLAN 3, or are they simply VLAN 3 access ports?

If VLAN 3 on the Cisco is just an identifier, then you really don't need to reference it at all on the SSG. Build E2 as a Layer3 port without a BGroup attachment, assign it an IP Address and then uplink it to the Cisco.

 

RE: SSG20 VLAN SUB I/F CONFIG PROBLEM SCREEN OS 6.1.0R2

(OP)
E0/2 is bound to BGroup 1 for the 207dot subnet. In the Network Interface List, E0/2 appears under BG1 and BG1 is the Gateway for the 207dot subnet. That same interface needs to have sub interface E0/2.3 for VLAN 3 in order to provide layer 3 routing to the internet only for the VLAN 3 subnet that is connected to ports 21 thru 24 on the C2950G switch A. The C2950G switch A has VLAN 3 configured for access ports FA0/21 - 24, and the uplink is trunk port GI0/1 fiber to another C2950G switch B GI0/1, which is also configured as trunk port along with trunk port FA0/24 that connects to the SSG20 E0/2 port.

What is the point of having sub interfaces if they can't share the physical interface with a VLAN(s)?? I thought that was one of the points about VLANs! They are like private line ckts riding a facility, like DS1 channels. Then with a layer 3 device, it can provide the routing functions for the VLAN, if needed. In my case it is needed!

....JIM....

 

RE: SSG20 VLAN SUB I/F CONFIG PROBLEM SCREEN OS 6.1.0R2

I don't believe it can't be done. Normally you would think of VLANs in that fashion, I've just never tried to build them in an SSG on sub-interfaces. If I get a minute I'll break out my test box and see what it looks like.  

RE: SSG20 VLAN SUB I/F CONFIG PROBLEM SCREEN OS 6.1.0R2

(OP)
This is more or less the design I have had from the beginning (2007) for my client in trying to find a way to get the most out of their hardware and get rid of all the SOHO boxes in the system previously, and provide a real firewall/router for the network with three subnets.

I have been trying to follow the "Concepts & Examples ScreenOS Reference Guide: Volume 2: Fundamentals" Release 6.1.0, rev.01 documents. It talks about ScreenOS architecture and has various examples of configurations that I have been trying to integrate into my design, but the VLAN part is the most troublesome. Originally, I was trying to find a firewall with a "switch port" type module that could be flexible (have enough spigots), and the Juniper SSG series appeared to fit the bill. I even spoke to some Juniper sales engineers, and discussed the several network design diagrams with sales engineers at Virtual Armor, the vendor. All seemed to be capable for this design.

If you want, I can try to upload the network layouts to clarify what I am doing.

....JIM....

 

RE: SSG20 VLAN SUB I/F CONFIG PROBLEM SCREEN OS 6.1.0R2

There's no such thing as too much information in troubleshooting...

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close