vpassenheim
asked on
How can a physical interface host multiple IP addresses on an SSG 5 Juniper firewall?
I'm trying to setup a lab environment for a Pluralsight video course that I'm trying to follow along with. I've already sent them this data, but have yet to hear back from them more than 1 week later :( Anyway, here's why I think I need to do, but really this is sort of a somewhat educated guess. Any and all assistance is greatly appreciated:
I believe I will need to create 3 separate bridge group interfaces (called "bgroup"s in Juniper terminology), one for each Ethernet port (ethernet0/2, ethernet0/3, and ethernet0/4), because each of these groups constitutes its own broadcast domain. Each newly created bgroup needs to then be assigned a static IP address/subnet mask to define its broadcast domain/lan segment (in this case, they will be: 172.16.5.254/24; 172.16.6.254/24 & 172.16.7.254/24), and all will be assigned to the Trust zone. I then need to enable DHCP for each bgroup (i.e., per interface) and make sure the scopes match the aforementioned segments with DHCP exclusions for the static IP addresses to be used by the servers in each segment.
I believe this shows me how to do that:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB4243
Finally, I believe I need to setup a mapped IP (MIP) for each bgroup interface in order to connect the external firewall port IP address of 192.168.10.5, etc., to the respective internal IP address for each interface (172.16.5.254, etc.). I think this is the process here:
http://www.howtonetworking.com/Routers/juniper1.htm
I'm assuming the host virtual router name to be selected should be trust-vr.
I am attaching the relevant network diagrams for confirmation of this analysis.
Lab-Setup---Windows-7-Administration---G
Lab-Setup---Windows-7-Administration---P
I believe I will need to create 3 separate bridge group interfaces (called "bgroup"s in Juniper terminology), one for each Ethernet port (ethernet0/2, ethernet0/3, and ethernet0/4), because each of these groups constitutes its own broadcast domain. Each newly created bgroup needs to then be assigned a static IP address/subnet mask to define its broadcast domain/lan segment (in this case, they will be: 172.16.5.254/24; 172.16.6.254/24 & 172.16.7.254/24), and all will be assigned to the Trust zone. I then need to enable DHCP for each bgroup (i.e., per interface) and make sure the scopes match the aforementioned segments with DHCP exclusions for the static IP addresses to be used by the servers in each segment.
I believe this shows me how to do that:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB4243
Finally, I believe I need to setup a mapped IP (MIP) for each bgroup interface in order to connect the external firewall port IP address of 192.168.10.5, etc., to the respective internal IP address for each interface (172.16.5.254, etc.). I think this is the process here:
http://www.howtonetworking.com/Routers/juniper1.htm
I'm assuming the host virtual router name to be selected should be trust-vr.
I am attaching the relevant network diagrams for confirmation of this analysis.
Lab-Setup---Windows-7-Administration---G
Lab-Setup---Windows-7-Administration---P
You also do not need bridge groups for each interface. bgroups are used to assign multiple interfaces to a single subnet. for example:
bgroup1 ip = 192.168.1.1/24
assign eth0/1 0/2 and 0/3 to it so that they are all part of the 192.168.1.1/24 subnet (behaves like a switch)
Other than that you have the right plan
bgroup1 ip = 192.168.1.1/24
assign eth0/1 0/2 and 0/3 to it so that they are all part of the 192.168.1.1/24 subnet (behaves like a switch)
Other than that you have the right plan
ASKER
Rafael,
Thanks for your quick response! I just want to clarify, when I create the subinterfaces (http://kb.juniper.net/InfoCenter/index?page=content&id=KB4480), will I be essentially creating 3 VLANs with a single IP address comprising the VLAN ( a /32 'network' designation). So I will be using the 192.168.10.5; 192.168.10.6; & 192.168.10.7 in the VLANs and then make route entries for 1 to 1 mappings from 172.16.5.254/192.168.10.5,
Thanks,
Victor
Lab-Setup---Windows-7-Administration---P
Thanks for your quick response! I just want to clarify, when I create the subinterfaces (http://kb.juniper.net/InfoCenter/index?page=content&id=KB4480), will I be essentially creating 3 VLANs with a single IP address comprising the VLAN ( a /32 'network' designation). So I will be using the 192.168.10.5; 192.168.10.6; & 192.168.10.7 in the VLANs and then make route entries for 1 to 1 mappings from 172.16.5.254/192.168.10.5,
Thanks,
Victor
Lab-Setup---Windows-7-Administration---P
ASKER
Sanga,
I'm doing it that way because I require 3 subnets: 172.16.5.x, 172.16.6.x, 172.16.7.x. Each subnet will be connecting via the corresponding gateway (.254 address) on the "internal" side of the firewall and going out on the "external" side of the firewall via the 192.168.10.5 ; 192.168.10.6; 192.168.10.7 corresponding addresses. I'm just trying to interpret the diagrams - am I understanding this wrong?
Thanks,
Victor
I'm doing it that way because I require 3 subnets: 172.16.5.x, 172.16.6.x, 172.16.7.x. Each subnet will be connecting via the corresponding gateway (.254 address) on the "internal" side of the firewall and going out on the "external" side of the firewall via the 192.168.10.5 ; 192.168.10.6; 192.168.10.7 corresponding addresses. I'm just trying to interpret the diagrams - am I understanding this wrong?
Thanks,
Victor
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Oh Sanga, you're a lifesaver!
I'm going to try it, but I'm sure it will work!
Thanks,
Victor
I'm going to try it, but I'm sure it will work!
Thanks,
Victor
HTH
-Rafael