Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How many Secondary IP address blocks can the firewall support?

0

0

Article ID: KB14216 KB Last Updated: 18 Dec 2017Version: 4.0
Summary:
This article provides information about the number of secondary IP address blocks that cab be supported by a firewall.
 
Symptoms:
Multiple Secondary IP address blocks can be configured; but how many can the device actually support?

Sample configuration via the CLI:
(M)-> get conf | i secondary
set interface ethernet0/1 ip 192.168.51.1 255.255.255.0 secondary
set interface ethernet0/1 ip 192.168.52.1 255.255.255.0 secondary
set interface ethernet0/1 ip 192.168.53.1 255.255.255.0 secondary
set interface ethernet0/1 ip 192.168.54.1 255.255.255.0 secondary
Solution:
For ScreenOS versions 5.0 to 6.3 the values are as follows:
 
Platform No. of supported Secondary address blocks
NS-ISG1000 500
NS-ISG2000 1000
NS100 100
NS500 500
NS5200 and NS5400 1000
NS204 and NS208 100
SSG550 / SSG350 100
SSG140 / SSG320 / SSG520 50
SSG5 and SSG20 25
NS5GT and NS5XT 4

Note: Some of the newer ScreenOS versions are not supported on the older platforms. For more information, refer to the specific Release Notes and product documentation.

Additional Information:

Limitations:

KB5527 - Are there any Limitations of using the Secondary IP address? (Trust & DMZ).


Configuration:

The command line reference to configure the Secondary IP is as follows:
set interface interface ip <ip_addr/mask> secondary
get interface interface secondary <ip_addr>
For more information, refer to ScreenOS CLI Reference Guide:IPv4 Command Descriptions 6.3.

Note: the Secondary IP option is not available, when the interface belongs to the Untrust zone (as per KB5527 mentioned above).

Refer to the following image. The Secondary IP link is available, when the interface is in the DMZ zone:


 
 

But, when the interface is in the Untrust zone, the Secondary IP option is not available:


 
 

For more information, refer to KB4293 - Configuring an interface with a Secondary IP address.
Modification History:
2017-12-07: Article reviewed for accuracy. Edited links to show 6.3.0 documentation. Corrected links that were not working. Article is correct and complete.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search