How do i configurate VLAN on Junipter-N5GT Firewall?

Posted on 2010-01-09
Medium Priority
Last Modified: 2013-11-16
Dear Network Expert- Please share your experience

Firewall: N5GT
NetScreen: Version 5
Switch: 3Com unmanaged Switch
--Using MS win03 AD, DHCP, DNS

My Question is that we have WIFI AP in the office which allows visitors using laptop to access the network (NOT AD LOGON). I would like to ....
1. Separate these users from Domain Network
2. Limit their bandwidth Utilization
3. May be certain level of network monitor

How should i create VLAN in juniptor???????
What should i configure if i need to achieve that above in the VLAN???????

Thank you for your attention  
Question by:Gordon Tin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 18

Expert Comment

by:Sanga Collins
ID: 26273447
to create a vlan from the web interface go to: Network>interfaces>New Vlan in the top right corner. I am not sure that creating just a VLAN will help you though.

A good way to accomplish what you need is putting the ns5gt into Home/Work port mode. This will allow you to physically separate each network with its own ports (1&2 for work zone, 3&4 for home zone). Traffic from the home zone to the work zone is denied by default and can not be modified by any policy you add. Please NOTE: switching ports requires erasing the current config. because you change zone names from trust/untrust to home/work/untrust, the old config can not be automatically ported over to a new setup

You can also create a subinterface on the trust interface. Give it a different IP address from your old LAN and put it in a custom zone (call it WiFi-zone?). Depending on your access point features and settings, You can then configure it as part of the subinterface network.

hope this helps
LVL 18

Expert Comment

by:Sanga Collins
ID: 26273452
forgot to say, if you create a sub interface you do not need to erase the device as you would if you change port mode

Expert Comment

ID: 26276720

with what you have the vlan won't help you. To use a vlan you should have a managed switch, so you could connect the ap to a port in a vlan, and keep your infrastructure on another vlan. Without buying other equipment your only choice would be  to switch the equipment in Home/Work Mode as suggested by sangamc, unfortunately this requires rebuilding the config from scratch.
Your other options would be to switch to an SSG5 (the 5GT is EOL anyway, and you cannot get support if you didn't buy it last year) that you can configure freely with different zones. Or you could by a SSG5 with integrated AP, in this case you would also get rid of the current ap, and in the same box you could create multiple SSIDs, for your guest, your users or whatever else all integrated in the firewall.


Author Comment

by:Gordon Tin
ID: 26276742
""You can also create a subinterface on the trust interface. Give it a different IP address from your old LAN and put it in a custom zone (call it WiFi-zone?). Depending on your access point features and settings, You can then configure it as part of the subinterface network.""

 Could you further explain this suggestion in details because i am not quite get it?
Give it a different IP address from your old LAN ????????
Forgive me for i am new to juniper Firewall.
Experts - Please share your experience.
LVL 18

Accepted Solution

Sanga Collins earned 2000 total points
ID: 26278858
Basically creating a sub interface is like adding a secondary IP to your NIC on your PC. This will allow you to address two separate subnets without adding a second NIC card (or changing the port mode as in the case of the netscreen)

so your original LAN and setup remains the same:
zone trust (vr=trust-vr)

Then you create a new subinterface for the wireless access point with its own LAN
zone Wifi (vr = trust-vr)

give your access point an ip address on the network so that your wireless devices will also be on the new network. You can now create policies to govern where the wireless traffic goes

internet policy
wifi - untrust source:any, dest:any, action:permit

control wifi
trsut - wifi source:any, dest:any, action:permit

block lan from wifi
wifi - trust source:any, dest:any, action:deny

i hope this helps clear it up for you a little. please dont hesitate to ask for details on any part of this process

Featured Post

Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transparency shows that a company is the kind of business that it wants people to think it is.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses
Course of the Month14 days, 22 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question