Configuring Virtual IP addresses on Juniper SSG

I have a client that is moving away from a DS3 to a TW Telecom circuit. They specified they were told they no longer needed a router. The current configuration has a Cicso 6501 router going to the Juniper SSG 140. The new circuit is simply a switch at the customers location. Is it possible to create two virtual interaces and route between them to accomplish this. Would the config be similar to the one below:

set int e0/2.10 ip   (interface for ISP)
set int e0/2.10 route
set int e0/2.20 ip (customer firewall side)
set int e0/2.20 route
set route interface ethernet0/2.10 gateway

I am more accustom to having both the router and then the Juniper device.
LVL 32
Rodney BarnhardtServer AdministratorAsked:
Who is Participating?
Rodney BarnhardtConnect With a Mentor Server AdministratorAuthor Commented:
We just installed a router and configured it in between the firewall and the ISP.
It sound like what you are trying to do is VLAN trunking on your ethernet 0/2.  You can run 2 sub-interfaces on one physical interface with VLAN trunking or tagging.  

Here is an example of a configuration I am using:

set zone id 100 "Internal1"
set zone id 101 "Internal2"

set interface "ethernet0/1.102" tag 102 zone "Internal1"
set interface "ethernet0/1.105" tag 205 zone "Internal2

set interface ethernet0/1.102 ip
set interface ethernet0/1.102 route
set interface ethernet0/1.105 ip
set interface ethernet0/1.105 route

I set my zones up in the first two commands.  The next 2 commands may the interface to the zone name.  The tag IDs are the VLAN numbers.  This interface
connects to a Cisco switch that is setup as a VLAN trunk, trunking VLANS 102 and 105.

Rodney BarnhardtServer AdministratorAuthor Commented:
Yes, this may be what I am looking for. I do have a question though. The switch I am connecting to is provided by TW telecom to connect to, so I do not know that it is set up as a VLAN trunk. Basically, the IT director was told there would be no need for a router. However, they provided two sets of IP's. One with a CIDR of 30 (now presumably a router) and the other with a CIDR of 28 (the external IP's for services). Would this still work not knowing how TWC configures their end?
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

If  the switch you are connecting to belongs to your ISP, you may not be able to share e0/2 with both the external and internal connection.  Their switch would need to support trunking and they would need to provide you wtih an additional port off their switch that would carry the internal connection to your LAN.  You could possible insert a switch of your own in between the firewall and their switch.  This switch would have a trunk port to e0/2 to our firewall, carrying both VLANs.  Then that switch would have one port going to your ISP switch and one port or many ports going to your internal LAN.  These ports would not be trunk ports, but would be access ports tagged for the appropriate VLANs.

As for the IP addressing question, it is most likely that the /30 subnet is a transit network between your firewall and the ISP router.  The additional block is probably going to be routed to your firewall.  You can check with the ISP, but this most likely the case.  The have probably given you an address in that /30 to setup on your firewall.  The /28 can than be used as a NAT pool or it can be configured on an internal interface and used as an actual subnet.  NAT however will allow you to conserve the address space and allow for more flexibility in the future when changing public IPs.  
Rodney BarnhardtServer AdministratorAuthor Commented:
Well, if I am going to go to the trouble of adding a switch, I might as well place my own router. I have extra routers due to company downsizing. Typically, with our DS3, we had our own router that interfaced to the ISP with our /30 IP, then used the /28 for MIP\VIP's on our SSG. I guess we will just go with that same set up. TWC told the director we would just connect to our firewall without anyone asking specific questions.
if you have a free interface on your firewall, you could separate out the 2 networks.  That way you could just connect the firewalls ISP facing network to the ISP.   The second interface would connect to your LAN.  I assumed that since you were trying to do it all on one interface, that you are short on firewall interfaces.
Rodney BarnhardtServer AdministratorAuthor Commented:
We just used a router.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.