Subinterfaces for a topology change - requesting advice

  • We have recently partnered with a company and have a need to allow them access to our network. We plan on using our NS204 to secure this connection, however currently all of our interfaces are in use, so I wanted to regorganize how our network utilized the firewall to free up a port for use by our partner. After some experimenting and no real success I (think I) learned a few things about how to best make this change, but I was hoping for some input from those wiser than I.

    Our current configuration:
    E1 - Trust - Our main office
    E2 - DMZ - Our webservers, etc.
    E3 - Untrust - Internet facing
    E4 - Warehouse - Our main warehouse

    E1 -> Switch -> Clients
    E2 -> Switch -> Servers
    E3 -> Switch -> Router -> Internet
    E4 -> Router -> T1 -> Router -> Switch -> Hosts

    What I tried:
    E1 - Trust
    E1.1 - Warehouse
    E2 - DMZ
    E3 - Untrust
    E4 - Partners

    E1 -> Hub -> Switch -> Clients
    E1.1 -> Router -> T1 -> Router -> Switch -> Hosts (Previously on E4)
    E2 -> Switch -> Servers
    E3 -> Switch -> Router -> Internet

    The problem that I seem to have encountered here, is that E1.1 never comes out of state “Ready”.

    From this I made 2 assumptions.

    1. That I would need to (or at least should) move the Trust zone from E1 onto a subinterface as well as the Warehouse zone.
    2. That I should use a VLAN to seperate these subinterfaces instead of a hub.

    So my intent now is to configure it as follows:
    E1 -> VLAN’ed Switch -> E1.1 and E1.2
    E1.1 (VLAN1) -> Switch -> Clients
    E1.2 (VLAN2) -> Router -> T1 -> Router -> Switch -> Hosts
    E2 -> Switch -> Servers
    E3 -> Switch -> Router -> Internet

    Is there anywhere that I can find better documentation on subinterfaces?
    Is the best way to go about what I am trying to do here?
    Expandability is key, and it seems to me that it would be trivial after this is configured to add additional facilities to the E1 subinterfaces / vlans.

    Thanks for taking the time out to read this!

  • Ok, to follow up…I’ve also posted this elsewhere here, but since I left this message here before, What I found out so far about Sub-Interfaces was very minimal. The last Juniper tech that called me back stated what somebody else had told me elsewhere. They are intended for use with VLAN Tagging… Ok…well…my real fix was to use MIP’s and appropriate rules…so it was as simple as that! Now I have Public IP’s from two separate subnets running on my Untrust port.

    I did have some issues getting it to work on our Netscreen. It seems that I’d have to create 2 MIP’s and rules for it to start working, then anything I did after that just worked… Hope some of this info helps you with yours.

  • I’m guessing that you never found any better information on Sub-Interfaces…Is this correct?

    I’m trying to add an additional range of IP’s to my Untrusted port of a Netscreen 5GT, and am having trouble getting it to communicate with the ISP’s router, which also has it’s interface configured with 2 IP addresses in different subnets. My primary untrusted port…appropriately titled “UNTRUST”, works fine, but my new sub-Interface, also appropriately titled “UNTRUST.1” isn’t currently working. I’m working with a Juniper support specialist right now…but this is day 3, and we’ve gotten only far enough to see that for some reason this port has PPPoE encapsulation enabled on it, as viewed from the CLI, but not selected when using the Web Interface…