Can 5GT support two untrust ip address?

  • Hi,
    Does anyone know if the 5GT can support 2 IP address in the untrust interface?

    Basically, my isp is going to give me 2 external fixed IP addresses, and i’m not sure if the 5GT can support it.

  • Netscreen implementation of sub-interfaces assumes that you are not using the physical interface IP and that you have vlan tagging configured on your upstream switch. To get what you need working try addinga secondary IP instead. This should be pretty simple and allow the Netscreen to respond to both subnets at the same time which is what I think you want.

  • I’m in a similar situation with a 5GT. We just purchased another IP range from our ISP. We need to be able to use these ip’s with IP forwarding from the Internet to private IP’s internally. This is very easy, and has already been done on the primary UNTRUST interface.

    I attempted to do this by creating a sub-interface on the UNTRUST interface. It was automatically labeled UNTRUST.1. My problem is that I can’t get any traffic between the ISP’s Adtran router and the UNTRUST.1 sub-interface.

    I believe I’ve ruled out problems related to the Adtran router, as I disconnected the Netscreen 5GT from it, and plugged in a laptop with the same IP address as the 5GT’s sub-Interface, and surfed the web fine….

    I’ll post this as a new question, as well, but thought that you might have some insight based on your success.

    Thank you in advance!

  • thanks to all for replying.

  • Engineer

    ECMP = Equal Cost Multi-Path routing. Introduced in 5.1.

    It allows you to define multiple routes with the same cost. One application of this is to use dual untrust, where both interfaces can be active at the same time.

  • Engineer

    BTW, wat is ECMP?

  • Engineer

    … and enabling ECMP

  • vlho, thanks for the reply.

    I also found out that it is possible (ScreenOS 5.1 and later), using Dual-Untrust mode but disabling failover.

    • surely by MIP
    • possibly by subinterface