Noob, Trying to Make His Way in the World
I have a clustered Juniper SRX 1500 seperated into 2 logical systems. Each logical system has its own router, firewall rules and security policy. I have a Dell/Force10 switch handling layer 2 for my network which is situated, logically, above my cluster (meaning that all internal routing is done on the FW). I am having some difficulty accessing my switch independent of having to ssh into the firewall and then ssh’ing into the swicth. I can’t seem to access it from my management network, despite having setup routing, policies and everything else. I have tried various configurations, all to no avail. I want to be able to access my switch at 10.21.9.100/24 while sitting on the 129.9.103.1/27 network. I have some extra interfaces available on the FW, so I don’t mind using them to manage the switch. I am able to ping my switch from the firewall and vice-versa, but I am not able to ssh or ping my switch from my PC on the 129.9.103.1/27 network. In the configuration below, I have specified interfaces ge-0/0/0.0 and ge-4/0/0.0 as the interfaces that I would like to carry the switch management traffic. I am out of ideas at this point and I would appreciate some pointers. I’ve pasted the relevant portions of my config below
logical-systems {
LSYS1SOMECOFW {
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.21.9.1/24;
}
}
}
lt-0/0/0 {
unit 5 {
description Logical_Tunnel_For_SOMECO;
encapsulation ethernet;
peer-unit 3;
family inet {
address 10.99.1.5/24;
}
}
}
ge-0/0/4 {
unit 0 {
description PARENT-CO_FW2_MGMT;
family inet {
address 10.21.8.100/24;
}
}
}
ge-4/0/0 {
unit 0 {
description SW 2 MGMT;
family inet {
address 10.21.9.2/24;
}
}
}
ge-4/0/4 {
unit 0 {
description PARENT-CO_FW1_MGMT;
family inet {
address 10.21.8.101/24;
}
}
}
reth0 {
unit 0 {
description SOMECO_Backside;
vlan-id 7;
family inet {
address 129.9.103.1/27;
}
}
unit 2 {
description SOMECO_Chassis_MGMT;
vlan-id 2;
family inet {
address 10.21.2.1/24;
}
}
unit 5 {
description SOMECO-SOMECO-2_Network_MGMT;
vlan-id 5;
family inet {
address 10.21.5.1/24;
}
}
unit 6 {
description SOMECO-SOMECO-2_Terminal_Concentrator;
vlan-id 6;
family inet {
address 10.21.6.1/24;
}
}
unit 8 {
vlan-id 8;
family inet {
address 10.21.8.1/24;
}
}
unit 10 {
description SOMECO_ESXi_MGMT;
vlan-id 10;
family inet {
address 10.21.10.1/24;
}
}
unit 46 {
description SOMECO_Netapp;
vlan-id 46;
family inet {
address 129.9.103.65/27;
}
}
unit 54 {
description SOMECO_DMZ_PROD;
vlan-id 54;
family inet {
address 129.9.103.129/28;
}
}
unit 90 {
description SOMECO_Non_PROD_DMZ;
vlan-id 90;
family inet {
address 129.9.103.145/28;
}
}
unit 97 {
description SOMECO_Prod_DMZ_MGMT;
vlan-id 97;
family inet {
address 129.9.103.161/28;
}
}
unit 98 {
description DMZ_Non_Prod_Mgmt;
vlan-id 98;
family inet {
address 129.9.103.177/28;
}
}
unit 3233 {
description SOMECO_Non_Production_MGMT;
vlan-id 3233;
family inet {
address 129.9.103.225/27;
}
}
unit 3330 {
description SOMECO_APP/DB_Production;
vlan-id 3330;
family inet {
address 129.9.103.33/27;
}
}
unit 3331 {
description SOMECO_Production_MGMT;
vlan-id 3331;
family inet {
address 129.9.103.193/27;
}
}
unit 3332 {
description SOMECO_APP/DB_Non-Production;
vlan-id 3332;
family inet {
address 129.9.103.97/27;
}
}
}
}
routing-instances {
LSYS1SOMECOFW_vr {
instance-type virtual-router;
interface ge-0/0/0.0;
interface lt-0/0/0.5;
interface ge-0/0/4.0;
interface ge-4/0/0.0;
interface ge-4/0/4.0;
interface reth0.0;
interface reth0.2;
interface reth0.5;
interface reth0.6;
interface reth0.8;
interface reth0.10;
interface reth0.46;
interface reth0.54;
interface reth0.90;
interface reth0.97;
interface reth0.98;
interface reth0.3233;
interface reth0.3330;
interface reth0.3331;
interface reth0.3332;
routing-options {
static {
route 0.0.0.0/0 next-hop 10.99.1.1;
route 129.9.104.0/24 next-hop 10.99.1.4;
}
}
}
}
from-zone Trust_ SOMECO to-zone Trust_ SOMECO {
policy Trust-Trust_ SOMECO {
description "Any-to-Any rule";
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
idp;
zones {
security-zone Trust_LSYS1_SOMECOFW {
screen Untrust-screen;
host-inbound-traffic {
system-services {
all;
https;
}
protocols {
all;
}
}
interfaces {
reth0.0;
reth0.3330;
reth0.46;
reth0.3332;
reth0.3331;
reth0.3233;
reth0.2;
reth0.5;
reth0.10;
reth0.6;
reth0.97;
reth0.54;
reth0.98;
reth0.90;
reth0.8;
ge-0/0/4.0;
ge-4/0/4.0;
ge-0/0/0.0;
ge-4/0/0.0;