i'm quite new to Juniper firewalls, and i'm currently testing with a firewall and some L2 switches. The config in my firewall is quite easy:
ge-0/0/0.0 = untrust
ge-0/0/1.0 = trust
config = attached
basic config, allow http/https and that's it. Now i'm working on my L2 switches and i have these configured in a diffferent VLAN (vlan 10) and my clients in vlan 20 and servers vlan 30. because my HP switches are L2 i need to setup vlan routing via the SRX320. Is that possible? and if yes, how? i found some threads, but no luck yet.
Yes it's possible. You have several options dependent of how you want to connect SRX to the switch:
1) trunk or access port in each vlan -> create irb interfaces for each vlan
2) trunk -> create subinterfaces
3) layer 3 interface in each vlan
SRX route by default. There is no additional configuration required.
There are many ways to acheive your requirements. Based on the current connectivity, a quick sample config is given below:
1. Configure the interfaces connected to SRX ge-0/0/1 as trunk and allow client vlan 20
2. Configure the interfaces connected to SRX ge-0/0/0 as trunk and allow server vlan 30
3. Based on the number of vlans you may allow additonal vlans and configure same in SRX like below mentioned:
delete interfaces ge-0/0/1
set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1 unit 20 vlan-id 20
set interfaces ge-0/0/1 unit 20 family inet address 172.16.0.1/16
delete interfaces ge-0/0/0
set interfaces ge-0/0/0 vlan-tagging
set interfaces ge-0/0/0 unit 30 vlan-id 30
set interfaces ge-0/0/0 unit 30 family inet address 192.168.250.5/24
Many thanks for your answers. I'm looking forward to test them. hopefully i'm able to work friday futher on my lab
But Nellika i'm not sure why you add Ge-0/0/0 to vlan 30 (server vlan) maybe i need to clarify my network config a little bit futher:
What i did without VLAN routing: Internet Ge-0/0/0 (untrust zone)
Internal network Ge-0/0/1 voila works fine 🙂
What i like to have:
Internet - 1 single ip address assigned to ISP router so i created a DMZ (192.168.250.x) connected to HP Procurve L2 switch and ge-0/0/0 connected to same switch so this need to be a DMZ with 2 ports in a DMZ vlan (ISP Router untagged - SRX320 tagged?)
ge-0/0/1 connected to same switch - trusted network.
But then my L3 issue, i need to route traffic between the following VLANs
VLAN 10 (switches 172.16.1.x/24)
VLAN 20 (clients 172.16.20.x/24)
VLAN 30 (Servers 172.16.30.x/24)
VLAN 90 = DMZ
Sorry to be a newbe, but i think that we all want to learn 🙂
So you have only two connectivity from SRX to HP switch; ge-0/0/0 and ge-0/0/1. ge-0/0/0 is used for Internet (DMZ) and the other interface is used for 3 vlans. Based on these assumptions, sample config is given below:
HP Switch:1. Configure the interfaces connected to SRX ge-0/0/1 as trunk and allow vlan 10,20 and 302. Configure the interfaces connected to SRX ge-0/0/0 as access port (Internet) for vlan 903. Based on the number of vlans you may allow additonal vlans and configure same in SRX like below mentioned:
SRX:delete interfaces ge-0/0/1set interfaces ge-0/0/1 vlan-taggingset interfaces ge-0/0/1 unit 10 vlan-id 10set interfaces ge-0/0/1 unit 10 family inet address 172.16.1.x/24set interfaces ge-0/0/1 unit 20 vlan-id 20set interfaces ge-0/0/1 unit 20 family inet address 172.16.20.x/24set interfaces ge-0/0/1 unit 30 vlan-id 30set interfaces ge-0/0/1 unit 30 family inet address 172.16.30.x/24delete interfaces ge-0/0/0set interfaces ge-0/0/0 unit 0 family inet address 192.168.250.x/24
it is feeling that i'm almost there, i'm able to ping my devices directly from the SRX320, but from device to device (vlan 10 to 20 as example) is not working. I'm getting timeouts. I have added the routes, but still no luck.
Interface on HP is configured as Trunk and VLAN's 10,20,30 are tagged to this port.
vlan 10, 20 and 30 are part of trust zone. Even though they are in same zone, you have to configure security policy to allow communication between them (trust to trust). Intra zone communication is disabled by default.
set security policies from-zone trust to-zone trust policy Allow_Intenal match source-address anyset security policies from-zone trust to-zone trust policy Allow_Intenal match destination-address anyset security policies from-zone trust to-zone trust policy Allow_Intenal match application anyset security policies from-zone trust to-zone trust policy Allow_Intenal then permit
That worked! thanks!