SRX

 View Only
last person joined: 14 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX Multiple interfaces same security zone

    Posted 06-16-2017 13:45

     

     srx100-front-high.jpg

     

     

     

     

     

     

     

     

     

     

     

     

     

    It's basically the default SRX100B config [load factory default], but I deleted the --- fe-0/0/7 interface to remove ethernet-switching, and make it a true routed interface with an IP of 172.16.254.1. 

     

    The bottom line is, despite my efforts of following the Juniper literature and recommendations from forums on placing both interfaces in the same security zone, creating explicit security policies, etc, I have yet to be able to simply plug into either a 192.168.1.1 interface, or the 172.16.254.1 interface and be able to ping the opposite subnet. I even tried changing the hidden "deny-all" policy to "permit-any" ... but still no joy 😕

     

    In other words, if I have 192.168.1.20 assigned to laptop and plugged into fe-0/0/1-6, I can ping 192.168.1.1, but cannot ping the other subnet 172.16.254.1. Similarly, if I plug into fe-0/0/7 interface and assign my laptop 172.16.254.20, I can ping 172.16.254.1 all day ... but of course cannot ping 192.168.1.1. 

     

    What I've tried thus far in multiple iterations: 

     

    - Placed both interfaces in the same default "trust" security zone. 

    - Changing the hidden/default deny-all policy with a permit-all (still a no-go). 

    - Create unique security policies and explicitly allowed access between 192.168.1.x and 172.16.254.x, etc.

     

    I stepped away from Juniper for a bit after grabbing JNCIA and JNCIS-SEC, and knocked out the CCNP R/S track, but man ... I didn't think this simple setup would be such a pain. 

     

    So again, objective is to simply load default config, delete fe-0/0/7 ethernet-switching, then assign 172.16.254.1 to it. Then ensure I can connect a laptop to any interface and ping between both RVIs/subnets. What is the most simplified method of accomplishing this? Sheesh, how hard can pinging between two interfaces assigned to the same "trust" zone actually be? And yes, I'm away of the "intra-zone" traffic being blocked by default ... but as I've already stated, I set the "permit-any/all" command instead of the default "deny-any" but didnt' work!

     

    Oh by the way, (second question/quirk) the SRX 100 interfaces have to be physically connected to actually be up. On other appliances, the RVIs stay up, even if something isn't connected. Is that just the way it is with the SRX?

     

    Thanks in advance!

     

    -Peace-

     

     

     

     



  • 2.  RE: SRX Multiple interfaces same security zone

     
    Posted 06-16-2017 19:34

    If you post your config it will be easier for folks to help. It could simply be that you've put fe-0/0/6 into the trust zone and not the layer 3 RVI.

     

    Also, RVI's being down if there are no active member interfaces is normal behavior for almost all enterprise gear--this is not at all unusual.



  • 3.  RE: SRX Multiple interfaces same security zone

    Posted 06-17-2017 08:29

    I don't have config on hand, but you can replicate what I'm trying to accomplish by simpy taking the default SRX100B factory default config, and starting from scratch. 

     

    So from scratch, how would simply keep the default 192.168.1.1/24 interface ... then create a another routed interface on fe-0/0/7 with a unique IP? In my case I'd like fe-0/0/7 be a routed interface with 172.16.254.1.

     

    As I previously stated, I tried putting them in the same default "Trust" security zone, and also opening up the default policy to allow intra-zone traffic ... but still no joy. I'm just asking for the conceptual approach, if you have particular syntax that's cool too. 

     

    By the way ... respectfully, that statement about RVIs (in Cisco known as SVIs) is 100% not true. I do this frequently in Cisco,  Brocade, and many other vendors on a regular basis ---- by creating SVIs on enterprise L3 switches, and it is never necessary to plug anything into a physical interface. The pings are sent/received no problem, regardless if anything is plugged in or not. That's because it's not routing/switching to a particular interface, the route engine or control plane handles this internally. Meraki and Catalyst are perfect examples. But this last paragraph is a digression I don't want to pursue, as I know how to make that work on every other vendor. 

     

    Only thing I want to know is how to make pass traffic between two different subnets on the same SRX, either in the same security zone, or different security zone. Don't matter to me. 

     

    Thanks kindly!