SRX

Expand all | Collapse all

Do we still need to put secondary ip on srx same as netscreen?

Jump to Best Answer
  • 1.  Do we still need to put secondary ip on srx same as netscreen?

    Posted 10-10-2017 00:21

    Hi All,

     

    Lets say the current screenos config have secondary ip on interface. The purpose of this secondary ip is because the ccurrent public ip address on the interface already full. In other word purposed for MIP. Example like below:

     

    set interface ethernet2/1.420:1 ip 40.30.20.1 255.255.255.240

    set interface ethernet2/1.420:1 ip 40.30.31.70 255.255.255.240 secondary

    set interface ethernet2/1.420:1 ip 50.70.31.70 255.255.255.240 secondary

     

     

    So in SRX do we need also put secondary ip on that interface? Or we just create the pool under source-nat / destination-nat?

     

    Thanks and appreciate any feedback



  • 2.  RE: Do we still need to put secondary ip on srx same as netscreen?

    Posted 10-10-2017 00:30

    Hi,

     

    You will still need to do the address definition outside of nat-rules.

     

    There are two ways to solve this: defining extra IPs on the interface as on ScreenOS or do proxy-arp for the extra addresses.

     

    Example with extra IP - preferred defines which IP will be used as source if traffic is generated from the device and not specific source is defined.

     

    jonas@fw# show interfaces ge-0/0/2.10
    vlan-id 10;
    family inet {
        address 10.10.10.2/24;
        address 10.10.10.1/24 {
            preferred;
        }
    }
    
    

    Example with proxy-arp. There you would only have 10.10.10.1/24 defined on ge-0/0/2.10

     

    jonas@fw# show security nat proxy-arp
    interface ge-0/0/2.10 {
        address {
            10.10.10.3/32 to 10.10.10.5/32;
        }
    }
    

    I hope this clarifies 🙂


    #SRX
    #proxy-arp
    #NAT


  • 3.  RE: Do we still need to put secondary ip on srx same as netscreen?

    Posted 10-10-2017 00:56

    Hi ,

     

     

    So the easy word all the new segment (segment ip) will be assign proxy-arp right? If i choose the first method, so i dont need any proxy-arp?

     

    Thanks and appreciate your clarification.



  • 4.  RE: Do we still need to put secondary ip on srx same as netscreen?
    Best Answer

    Posted 10-10-2017 01:31

    Hi