JUNIPER-SSG Series Sub-interface (one-arm routing) configuration termination

What the hell is a sub-interface? I explain too much here that if you do not understand one-arm routing, please "repair your homework", it will be easier to understand the SSG series configuration details and problems.

Next, in the Common enterprise network, many have some "unprofessional" network and network management to do some simple rough network, such as switch all when pure two-layer fool to use, all the gateways are in the export equipment, in the past contact and customer changes in the network project experience, which found a lot of this kind of situation, so here, It is absolutely necessary to talk about the deployment of SSG in a professional manner.

Well, not much nonsense, direct serving.

Such as:
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/7E/01/wKioL1b09IiTUIXkAAF7vsDuu5Y048.jpg "title=" Qq20160325161108.jpg "alt=" Wkiol1b09iituixkaaf7vsduu5y048.jpg "/>

Subnet Requirements:

Multiple segments of the business network.

Switch with VLAN tag, the trunk can be on the uplink.

"I look very simple, so do not use in the Enterprise network, late a lot of pits"

First, analysis and pre-planning:

planning as illustrated above

Analyze customer's tentative topology scheme to realize multi-VLAN communication. G0/0/48 Port made trunk, theoretically sw-a will only let 10.10.0.X/24 host, Juniper Firewall ping vlanif1-6 can go, this is the problem, only 10.10.0.X/24 host, The port will be able to go to the juniper device without making the case. Then you can realize that the direction of one-arm routing!! (*^__^*)

Here, I am still nagging, my personal eyes of the single-arm routing "personal understanding, Welcome to shoot Bricks"

"Single-arm routing definition Literacy"

single Arm Routing (router-on-a-stick) is defined on an interface of the router by configuring the sub-interface (or "logical interface", there is no real physical interface) to achieve interoperability between different VLANs (virtual local area networks) that were isolated from each other ( this time because the driver interface device is Juniper device, firewall through the policy can be achieved between VLANs independent, if not to do the strategy is the interconnection )

Advantages: the realization of communication between different VLANs helps to understand and learn the VLAN principle and sub-interface concepts.

Disadvantages: easy to become a network single point of failure, configuration is slightly complex, the practical significance is not big.

Second, SSG firewall configuration:

The WEB-UI is configured as follows:

Step-1, drop down select Sub-if

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/7E/05/wKiom1b09TqxJkqkAAAgrhB3eQY825.png "style=" float: none; "title=" 2.png "alt=" Wkiom1b09tqxjkqkaaagrhb3eqy825.png "/>

Step-2, fill in the parameters

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/7E/02/wKioL1b09dWBdA3WAABjyFXQ0p8624.png "style=" float: none; "title=" 3.png "alt=" Wkiol1b09dwbda3waabjyfxq0p8624.png "/>

PS: Attach CLI command configuration:

Set interface "ethernet0/1.1" Tag2 zone "Trust"

Set interface "ethernet0/1.2" tag3 Zone "Trust" # Create sub-interfaces in e0/1 and make VLAN tags

Set interface ethernet0/1.1 IP 10.10.2.1/24 #IP configuration

Set interface ethernet0/1.1 NAT

Set interface ethernet0/1.2 IP 10.10.3.1/24 #IP configuration

Set interface ethernet0/1.2 NAT

(PS: note Interface and area, and VLAN tag, here the 10.10.2.1/24 is sw-a Vlanif2, so here to correspond together,), click-ok output such as

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/7E/02/wKioL1b09h_jBsghAABG3-iUbKs283.png "title=" 4.png " alt= "Wkiol1b09h_jbsghaabg3-iubks283.png"/>

Please note that once the sub-interface is established, the default is up, the number behind the interface is Vlan-tag (i.e., the downstream switch trunk can carry the label) once the main interface down, the sub-interface is down. After this one by one correspondence is established, the communication between the VLANs has been successfully completed. The Test VLAN port is normal, which is one-arm routing. In order to better let you understand the single-arm routing, I found a diagram, we look down.

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/7E/05/wKiom1b09bugDU3iAAGvAvf0lXI567.png "title=" 5.png " alt= "Wkiom1b09bugdu3iaagvavf0lxi567.png"/>

Theoretically, vlan10 and vlan20 can not ping each other, but through the introduction of the single-arm routing will be able to achieve their interconnection. (in layman's words, it is in the fa0/0 through the sub-interface mode of multiple gateways)

This article from "Allen on the road-from zero to one" blog, reprint please contact the author!

JUNIPER-SSG Series Sub-interface (one-arm routing) configuration termination