So I had a client the other day ask me about VLAN tagging on the Juniper SSG firewall product. This client had been taking some Juniper courses and I'm sure he stumbled upon this somewhere through his reading material. The fact is most clients I deal with are used to the Cisco product line and in the Cisco product you can have inter-vlan routing on a L3 switch or you can achieve the same solution through the "router-on-a-stick" model. Then we present these clients with the Juniper product and for the most part suddenly they don't care about inter-vlan routing, they now are intrigued by the zone based features of the firewall.
In this scenario I'm going to show you how you can achieve the same "router-on-a-stick" functions that you can on a Cisco IOS based router, but on a Juniper SSG firewall instead.
Below is the Juniper SSG Configuration
1) Zone creation
This step is not necessary but for the purpose of this scenario I wanted to show you anyway. All I'm doing here is setting up 2 new zones named vlan2 and vlan3. I could just as easily used the trust and DMZ zones but what the heck!
You can also stick both VLANs in the same zone but then by default traffic within the same zone on an SSG is allowed. So if you're going to do that make sure you double check your policies.
SSG5-Gateway_Lab-> set zone name vlan2
SSG5-Gateway_Lab-> set zone name vlan3
2) Remove physical interface from any zone
This is just clean-up on your part. So when troubleshooting it makes it a little easier on the eyes...(at least for me)
SSG5-Gateway_Lab-> set int eth0/6 zone null
3) Apply the VLAN tag and zone on the new sub-interface
Pretty self-explanatory... tag <> is the vlan # and zone vlan<> is the zones we created above.
SSG5-Gateway_Lab-> set int eth0/6.2 tag 2 zone vlan2
SSG5-Gateway_Lab-> set int eth0/6.3 tag 3 zone vlan3
4) Set the IP's on the sub-interfaces
SSG5-Gateway_Lab-> set int eth0/6.2 ip 192.168.30.1/24
SSG5-Gateway_Lab-> set int eth0/6.2 ip 192.168.60.1/24
Cisco Switch Configuration
Under interface fa0/12
Switch#(config-if) switchport mode trunk
Under interface fa0/1
Switch#(config-if) switchport access vlan 2
Under interface fa0/2
Switch#(config-if) switchport access vlan 3
There you have it. This isn't a complex config at all, it's just some people don't even realize that it can be done.
NOTE: If you are using different zones per VLAN don't forget to add the proper policies if you want both VLANs to have communications between each other.
No comments:
Post a Comment