0

Trying to configure my first Juniper firewall, an SSG5 (running 6.2.0r11.0), but having some trouble with the vlans. I haven't found much documentation relating to what I'm trying to do; possibly because it's not possible, or perhaps I'm just looking in the wrong places.

Here's a diagram of the setup I'm trying to achieve: enter image description here

My first question - is this possible with the Juniper SSG5?

If so, I'm wondering if someone can give me some hints on how to set it up. The switch (Cisco 3550) is configured and working properly, and so far I've:

  1. Created zones for each vlan
  2. Set up sub-interfaces on 0/2 and 0/5; one for each vlan
  3. Put each sub-interface into their respective zone
  4. Put 0/6 into the zone for vlan 10

I have a machine connected to the switch using vlan 10 (access port) and it can ping the 0/2 sub-interface for vlan 10. However, it can't ping the physical interface 0/6 or the host connected to 0/6. I've also tried creating a sub-interface on 0/6 for vlan 10 (putting it in the vlan 10 zone), but it can't ping that sub-interface either (ping enabled on all interfaces and sub-interfaces).

Thanks in advance.

Demelziraptor
  • 479
  • 1
  • 4
  • 11

2 Answers2

0

I'm not sure it's possible to do it quite the way you describe.

You might be able to define a bridge group l3 interface for each vlan, but I'm not sure if you can bind vlan subinterfaces into a bridge group, or just whole ports (in which case that wouldn't work.)

You could put ports 2 and 5 into a bridge group, but you couldn't break out vlan 10 into a different port that way.

Is there a particular reason to have the server attach directly to the SSG, and not to the switch? I typically put everything on the switch and run a single trunk port (firewall-on-a-stick), or a couple of trunks for different VLANs if trunk bandwidth is an issue.

techieb0y
  • 4,161
  • 16
  • 17
  • Thanks very much for your reply. (Sub-interfaces can't be added to a bridge group, as far as I know.) I was trying to isolate my internal network (the server in the diagram) from the DMZ (attached to the switch) and regulate traffic between them, but not between the internet (also attached to the switch) and the DMZ. I can't think of any reason why your suggestion of firewall-on-a-stick wouldn't work for this purpose (it's not something I'd considered before), so I'll give it a go now and reply later with the result. Thanks again for your help. – Demelziraptor Aug 09 '11 at 08:38
  • I've only set up part of the network in this way so far, but it's working well. I created two extra vlans though to further section off the internal network from the DMZ, and used the firewall to route between them as well as restrict traffic. Thanks for your suggestion. – Demelziraptor Aug 12 '11 at 17:21
0

I'm not sure the SSG5 can do that. We did do something similar for other reasons with an SSG140 using virtual routers. It does get very complicated, very quickly.

Brian
  • 621
  • 6
  • 12
  • Thanks for the tip. Initially I was assuming the networking/interface functionality would be similar to Cisco switches and got quite confused for a while with the way the SSG does things, think I've mostly got the hang of it now. – Demelziraptor Aug 12 '11 at 17:24