Does the IVE support 802.1q trunking? This is the only way I can see it supporting more than 2 vlans over a single interface.
I've got an SA4000 as well and I'm trying to move our NetConnect users off of the same broadcast domain as the IVE's internal port.
The SA does support VLAN trunking if you purchase the IVS license, which I think is pretty cheap if you need this functionality.
You connect the SA to a switchport configured for 802.1 trunking and specify a native VLAN (this will be for the untagged traffic from the SA.) You then configure a VLAN in the network settings on the SA, giving the SA an address in that VLAN and specifying the default gateway for traffic sent to that VLAN.
To send NC traffic to the VLAN, you configure the VLAN/Source IP tab on the General section of the role configuration. All traffic for that role will be sent to that VLAN. The NC address pool must either assign users to the same subnet the VLAN address of the SA is in, or the default gateway router(s) must route the subnets which the NC addresses are in to the VLAN address of the SA, typically using static routes.
Hope this is helpful.
The port to the SA internal interface on my Cisco switch is configured as -
switchport trunk native vlan 2
switchport trunk allowed vlan 2,100
switchport mode trunk
This allows vlans 2 and 100, and marks untagged traffic as vlan 2. Of course, you could modify the "switchport trunk allowed vlan 2,100" statement to allow any vlans you wanted to carry.
Assignment to VLANs is done on a role basis. So, you need to do the following -
- Create the VLANs
- Create two roles and figure out how you are going to do role-mapping for the realm
- For each role, assign the VLAN in the VLAN/Source IP tab of the General setting for the role
- For each role, define NC Connection profiles which assign the appropriate address pool
Can we do the same thing, but using a DHCP server instead of the Juniper SA local address pool? If yes, how can I do it?
I don't have IVS license as well, how do you change the SA-4000 Internal Port from an Access Port to a Trunk Port?
Thanks in advance
I've never used DHCP with VLANs, but I don't think there is any reason it would not work. I assume the DHCP request would be sent over the VLAN associated with the role.
We try it and the DHCP request seems to always come from the default internal IP address as source address, not from the VLAN interface assigned by the role mapping.
If we use the Juniper local IP address pool, everything is OK, but when we use DHCP server, it doesn't works. The user receive the address assigned to his role.
Others have reported in this thread that you get VLAN functionality even if you don't have the IVS license. I don't see the VLAN tab on any of the SA's that I have on which I don't have an IVS license, and I see the tab on all SA's I have which have an IVS license. The description of VLANs in the Admin Guide is within the IVS section. It still is a mystery to me as to how you could define a VLAN if you do not have an IVS license.