Configuring Virtual IP addresses on Juniper SSG

It sound like what you are trying to do is VLAN trunking on your ethernet 0/2.  You can run 2 sub-interfaces on one physical interface with VLAN trunking or tagging.  

Here is an example of a configuration I am using:


set zone id 100 "Internal1"
set zone id 101 "Internal2"

set interface "ethernet0/1.102" tag 102 zone "Internal1"
set interface "ethernet0/1.105" tag 205 zone "Internal2

set interface ethernet0/1.102 ip 10.10.102.0/24
set interface ethernet0/1.102 route
set interface ethernet0/1.105 ip 10.10.105.0/24
set interface ethernet0/1.105 route


I set my zones up in the first two commands.  The next 2 commands may the interface to the zone name.  The tag IDs are the VLAN numbers.  This interface
connects to a Cisco switch that is setup as a VLAN trunk, trunking VLANS 102 and 105.

Yes, this may be what I am looking for. I do have a question though. The switch I am connecting to is provided by TW telecom to connect to, so I do not know that it is set up as a VLAN trunk. Basically, the IT director was told there would be no need for a router. However, they provided two sets of IP's. One with a CIDR of 30 (now presumably a router) and the other with a CIDR of 28 (the external IP's for services). Would this still work not knowing how TWC configures their end?

If  the switch you are connecting to belongs to your ISP, you may not be able to share e0/2 with both the external and internal connection.  Their switch would need to support trunking and they would need to provide you wtih an additional port off their switch that would carry the internal connection to your LAN.  You could possible insert a switch of your own in between the firewall and their switch.  This switch would have a trunk port to e0/2 to our firewall, carrying both VLANs.  Then that switch would have one port going to your ISP switch and one port or many ports going to your internal LAN.  These ports would not be trunk ports, but would be access ports tagged for the appropriate VLANs.

As for the IP addressing question, it is most likely that the /30 subnet is a transit network between your firewall and the ISP router.  The additional block is probably going to be routed to your firewall.  You can check with the ISP, but this most likely the case.  The have probably given you an address in that /30 to setup on your firewall.  The /28 can than be used as a NAT pool or it can be configured on an internal interface and used as an actual subnet.  NAT however will allow you to conserve the address space and allow for more flexibility in the future when changing public IPs.  

Well, if I am going to go to the trouble of adding a switch, I might as well place my own router. I have extra routers due to company downsizing. Typically, with our DS3, we had our own router that interfaced to the ISP with our /30 IP, then used the /28 for MIP\VIP's on our SSG. I guess we will just go with that same set up. TWC told the director we would just connect to our firewall without anyone asking specific questions.

if you have a free interface on your firewall, you could separate out the 2 networks.  That way you could just connect the firewalls ISP facing network to the ISP.   The second interface would connect to your LAN.  I assumed that since you were trying to do it all on one interface, that you are short on firewall interfaces.

We just used a router.