With regards to Sub-Interfaces on a router for VLAN (Dot1q) Traffic.... I have not been able to, nor will I be able to, complete a wireshark trace to confirm how this works:-

Obviously, the Packet arrives at the router on the sub-interface, and that packet will have the dot1q tag attached. My understanding, and also a CCIE friend of mine think that the only device that can strip the Tag is a layer 2 egress port (Access port for the VLAN). So, if that is the case, how does the router read the network address from the packet if it is encapsulated with a Tag? Does it read behind the tag or does it strip the tag, read the address and then re-tag the packet?

Presumably the router is connected to a 802.1q port on a layer-2 switch that presents multiple VLANs to it, each tagged with an 802.1q header. For example the switch is trunking VLAN 10 & 20 to the router with the configurationThe router would then be configured like this:The router knows that traffic arriving with an 802.1q tag of 10 is handled by interface FastEthernet0.10 and traffic with a tag of 20 is handled by FastEthernet0.20. Packets arriving without a tag or a tag other than 10 or 20 is dropped.

Andy

No, the router is connected to a Juniper SSG20 which is connected to a Juniper SSG140. There is a trunk between the 2 Junipers but then the DHCP packets are routed out of a single interface to the Routers interface.

Basically, we have it working now with 1 network but have yet to test with multiple people utilising different networks getting DHCP addresses at the same time.

As I was on a particular network and it supplied the correct address range then I think it will work, but just need to test.

Thanks. If I was a utilising a router on a stick then your answer is perfectly correct.

I would have thought that as 802.1q defines a frame header, and as the router handles packets, the packets contain no tag in relation to the VLAN they belong to and so this traffic has no tagging except at Layer2.

Hi Vince,

Yes, agreed. The trunk is like this:-

SSG140 -- Trunk -- SSG20 ---normal -- 1721

So the tag gets stripped off at the SSG20 and then a normally routed packet gets sent to the 1721.

Having tested different networks today with the DHCP pools on the 1721, it does seem to recognise the different ranges and supplies the correct addresses to the correct VLANs.

The connection has to be
SSG140 -- Trunk -- SSG20 --- dot1q trunk -- 1721
Use Andy's example to illustrate, EXCEPT you need to add (using his vlan numbering):

interface FastEthernet0.1
encapsulation dot1Q 4002
You can put an IP address on the interface if you want.

Igor

Correction:

interface FastEthernet0.1
encapsulation dot1Q 4002 native

I'm not clear on why you would need to trunk any VLANs in that scenario.
Links between firewalls and routers should be routed links, otherwise you are going to get yourself into a bit of a design mess with VLANs spanning past Layer3 devices when they probably shouldn't.

DHCP doesn't need VLANs to supply IP addresses to unconnected subnets: you need IP-Helper/DHCP forwarder configs for that.

If you're saying you have a subnet to the left of the SSG140 and the 1721 has the DHCP scope for it, then your GW address for that subnet should be on the SSG140 with IP helper to pass the DHCP requests on.

Probably raises the quesiton of why is the 1721 doind your DHCP - might be better to do it elsewhere?

Hi Vince

Totally agree. As the 1721 is acting purely as a dirty DHCP (We will be utilising this in a different manner at a later stage) then the trunk only needs to be between the Interfaces on the Firewalls using sub-ints. From the SSG20 to the 1721 needs to be routed. The 1721 recognises the differing network ranges without the need of sub-ints on it and dot1q.

The SSG20 handles the routing of traffic to the "Dirty" network once the DHCP has assigned the IP address. The SSG140 handles the "Corporate" network traffic, so we have clearly defined boundaries between dirty and corporate.

Thanks all for the help on this. Very much appreciated.