JUNIPER-SSG Series Sub-interface (single-arm routing) application

First:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6E/7E/wKioL1V-hYWjsz4IAAIEV-U82q8049.jpg "title=" 1.png " alt= "Wkiol1v-hywjsz4iaaiev-u82q8049.jpg"/>

Iii. analysis and pre-planning

Planning as ↑

Analyze customer's tentative topology scheme to realize multi-VLAN communication. G0/0/48 Port made trunk, theoretically sw-a will only let 10.10.0.X/24 host, Juniper Firewall ping vlanif1-6 can go, this is the problem, only 10.10.0.X/24 host, The port will be able to go to the juniper device without making the case. Then you can realize that the direction of one-arm routing!! (*^__^*)

"Single-arm routing definition Literacy"

single-arm routing (router-on-a-stick) refers to an interface on the router by configuring the sub-interface (or "logical interface", there is no real physical interface) to achieve interoperability between different VLANs (virtual local area networks) that were isolated from each other ( this time because the driver interface device is Juniper device, firewall through the policy can be achieved between VLANs independent, if not to do the strategy is the interconnection )

Advantages: the realization of communication between different VLANs helps to understand and learn the VLAN principle and sub-interface concepts.

Disadvantages: easy to become a network single point of failure, configuration is slightly complex, the practical significance is not big.

Four, firewall configuration:

The WEB-UI is configured as follows:

Step-1, drop down select Sub-if

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6E/82/wKiom1V-hFSCaKEjAACfICwghT8667.jpg "title=" 2.png " alt= "Wkiom1v-hfscakejaacficwght8667.jpg"/>

Step-2, fill in the parameters

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6E/7E/wKioL1V-hhXRBYutAAGmAEnhNEc186.jpg "title=" 3.png " alt= "Wkiol1v-hhxrbyutaagmaenhnec186.jpg"/>

Set interface "ethernet0/1.1" Tag2 zone "Trust"

Set interface "ethernet0/1.2" tag3 Zone "Trust" # Create sub-interfaces in e0/1 and make VLAN tags

Set interface ethernet0/1.1 IP 10.10.2.1/24 #IP configuration

Set interface ethernet0/1.1 NAT

Set interface ethernet0/1.2 IP 10.10.3.1/24 #IP configuration

Set interface ethernet0/1.2 NAT

(PS: note Interface and area, and VLAN tag, here the 10.10.2.1/24 is sw-a Vlanif2, so here to correspond together,), click-ok output such as

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6E/7E/wKioL1V-hkrz36eTAAGDehKtemE688.jpg "title=" 4.png " alt= "Wkiol1v-hkrz36etaagdehkteme688.jpg"/>

Please note that once the sub-interface is established, the default is up, and once the main interface is down, the sub-interface is down. After this one by one correspondence is established, the communication between the VLANs has been successfully completed. The Test VLAN port is normal, which is one-arm routing. In order to better let you understand the single-arm routing, I found a diagram, we look down.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6E/7E/wKioL1V-hmniFBAwAAER3N2Pctw849.jpg "title=" 5.png " alt= "Wkiol1v-hmnifbawaaer3n2pctw849.jpg"/>

Theoretically, vlan10 and vlan20 can not ping each other, but through the introduction of the single-arm routing will be able to achieve their interconnection. (in layman's words, it is in the fa0/0 through the sub-interface mode of multiple gateways)

V. Review of implementation

Single-arm routing long application in small and medium-sized enterprises, when the enterprise can not budget to buy three-tier switch, through the two-layer switch to achieve multi-VLAN interoperability.

The implementation of the cross-border delivery, because the customer needs inter-VLAN interoperability, I have not done here strategy, the following is a simple introduction of the SSG series of strategic configuration.

2 network segments are forbidden to access each other, this can be added according to the actual needs .

Set policy ID from ' trust ' to ' trust ' "10.10.2.1/24" "10.10.3.1/24" "any" denylog

Set Policy ID 35

Exit

Set policy ID from "trust" to "trust" "10.10.3.1/24" "10.10.2.1/24" "any" denylog

Set Policy ID 34

Then configure the Untrust-trust access policy, independent of each other, to do their own security policy can:

Set policy ID of "utrust" to "Trust" "Any" "10.10.2.1/24" "any" Deny log

Set Policy ID 36

Set policy ID PNS from "utrust" to "Trust" "Any" "10.10.3.1/24" "any" Deny log

Set Policy ID 37

This article from "from Zero to One" blog, reproduced please contact the author!

JUNIPER-SSG Series Sub-interface (single-arm routing) application