VLAN setup with routing via SSG5 is this setup correct?

  • Hi there, I need expert help on VLAN’s (HP procurve 2810 switches) and routing of VLAN traffic via our Juniper SSG5 firewall. I am a beginner when it comes to routing/firewalls and VLAN’s. This is probably a pretty simple setup for most of you…

    We are a separate organization apart from the rest of the company.
    Our building/organization has a Juniper SSG-5 firewall that is also connected via a
    fiber converter to the rest of the company. On our LAN we have a windows domain called:
    REED.LOCAL, the workstations that are part of the Default VLAN are members of this domain.

    On our LAN we have 3 switches, 2 HP Procurve 2810 and a Cisco Linksys switch.
    On the 3 switches I want to have 2 VLAN’s made available, CSC and APC, the equipment on
    these VLAN’s will NOT be a member of my REED.LOCAL domain. All of them are as expected in their own subnet.

    My idea is this:
    To have one of the Procurve switches as the “MAIN SWITCH” and
    uplink the 2 other switches to this “MAIN SWITCH”, the servers on my LAN will be on the “MAIN SWITCH”.
    For routing between the VLAN’s we have the Juniper SSG5 firewall.
    I want only the “MAIN SWITCH” to have an uplink cable to the firewall that should
    function as a router for the VLAN’s that are active on all of my switches and also for my internet traffic etc.

    I want the VLAN’s on all the different switches to be able to route using the firewall
    Extra requirement, the VLAN that is called APC is meant for separating workstations that should be able to join a windows domain called APC.RO. This domain and it’s servers actually reside on the other side of the firewall and these are NOT in ANY VLAN. However I want the workstations in my APC vlan to be able to communicate with every (APC.RO domain member) workstation and server of that domain on the other side of the Juniper firewall.

    I think that I should create 2 different subinterfaces on the “uplink” port on the Juniper firewall, one for APC that is in the security zone APC and one for CSC that is in the security zone CSC. Not sure if the traffic from the default vlan should also have a separate subinterface?

    Later on if there is a budget we want to replace the UTP uplinks with the miniGBIC

    Will this setup work this way (see also picture)?
    What exactly should the setup look like?
    Tagging of uplink ports?
    Gateway’s to be filled in on the switches the VLAN? Each VLAN is in it’s own subnet, I can only
    fill in one gateway on the procurve switch, which one? the default vlan subnet? will traffice
    for the different VLAN’s arrive on the right destination on the firewall?
    Do I need to enable Spanning Tree Protocol?
    If so, do I need to configure Spanning Tree Protocol in any way or is just
    enabling it on all switches enough?
    Will the setup on the firewall work or is there additional work to be done?

    Hope you can help me out with this setup, thanks,


  • Thank you for your reply! A year later, I did manage to get a better understanding of the Juniper firewall. I am by no means an expert, but I now have enough knowledge to accomplish what is necessary for the job. I think I did ask to many questions, as I was confused, too many new topics to cover. I’m fine now, thanks again for taking the time to respond!

  • I cannot believe nobody answered your post for almost a year!  😮
    That must be laziness, or despise or ignorance…  😐
    Or you have asked too many questions for a novice.  😄

    In case you gave up, here’s some from me.
    1. SSG-5 is an edge firewall, it is not for “router on the stick” configuration.
    2. There’s no tagging on its ports. It simply can’t - it’s a VLAN per a port. Hence 1. You have to route on a stick somewhere else, SSG5 can transparently accept the packets but it will forward them based on routing, not tagging. And possible return packets will not be tagged.
    3. Did you mention a VLAN for your REED.LOCAL? Or do you want it isolated, on a separate equipment?
    4. Joining a Windows AD is a user privilege, nothing to do with your network.
    Unfortunately I see no picture attached but…
    5. Gateways for VLAN management addresses have to correspond to your routing design and possible manager’s network.
    6. STP is not needed in your case, IMHO - you do not have loops. (sorry no picture)
    And most of all,
    7. There’s no business objectives defined - what do you want to achieve and why? (not HOW, and just verifying if it’s right or not)  8-)