SRX

Expand all | Collapse all

Multiple VLAN gateways on physical interface

Jump to Best Answer
  • 1.  Multiple VLAN gateways on physical interface

    Posted 10-11-2019 18:27

    I am trying to use an SRX 340 gateway to terminate multiple VLANs coming in from a switch on a VLAN trunk (tagged), and allow routing between two of them but not another.  The SRX does not need to switch the VLANs between any other ports.  I also serve up dhcp on one of the vlan interfaces.

     

    I tried to do this the way I thought it should be done, with irb interfaces but I could not get it working.  I then tried it a different way using vlan sub-interfaces and I was able to get it working.  My understanding is that using sub interfaces is depricated so I want to get it working the proper way.

     

    So my first question is how should I be approaching this.  Is using irb interfaces the right way to do it, or since I don't actually need to switch should I be doing it a different way?  The config I created for irb is as follows and I was not able to see arp requests of anything coming from the switch on any VLANs.

     

    SRX firmware version is junos-srxsme-15.1X49-D160.2

     

    set system host-name TEST_Q
    set system time-zone GMT
    set system services ssh
    set system services telnet
    set system services dhcp-local-server group dhcp_maint interface irb.20

    set system services web-management http interface fxp0.0
    set system syslog archive size 100k
    set system syslog archive files 3
    set system syslog user * any emergency

    set system syslog file messages any critical
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands error
    set system max-configurations-on-flash 5
    set system max-configuration-rollbacks 5

    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set security address-book global address NM_SUBNET 10.207.8.0/24
    set security address-book global address MAINT_SUBNET 10.207.22.0/24
    set security address-book global address CORP_SUBNET 10.205.0.0/16
    set security screen ids-option untrust-screen icmp ping-death

    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024

    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land

    set security policies from-zone NetworkManagement to-zone Maintenance policy NM-MAINT match source-address NM_SUBNET
    set security policies from-zone NetworkManagement to-zone Maintenance policy NM-MAINT match destination-address MAINT_SUBNET
    set security policies from-zone NetworkManagement to-zone Maintenance policy NM-MAINT match application any
    set security policies from-zone NetworkManagement to-zone Maintenance policy NM-MAINT then permit
    set security policies from-zone Maintenance to-zone NetworkManagement policy MAINT-NM match source-address MAINT_SUBNET
    set security policies from-zone Maintenance to-zone NetworkManagement policy MAINT-NM match destination-address NM_SUBNET
    set security policies from-zone Maintenance to-zone NetworkManagement policy MAINT-NM match application any
    set security policies from-zone Maintenance to-zone NetworkManagement policy MAINT-NM then permit

    set security policies default-policy deny-all

    set security zones security-zone NetworkManagement interfaces irb.10 host-inbound-traffic system-services ping
    set security zones security-zone NetworkManagement interfaces irb.10 host-inbound-traffic system-services ntp
    set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services ping
    set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services ntp
    set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services https
    set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services ssh

    set security zones security-zone CORP interfaces irb.30 host-inbound-traffic system-services ping
    set interfaces fxp0 unit 0 family inet address 192.168.1.1/24

    set interfaces ge-0/0/1 unit 0 family inet address 192.168.255.126/31
    set interfaces ge-0/0/6 unit 0 family ethernet-switching interface-mode trunk
    set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members all

    set interfaces irb unit 10 family inet address 10.207.8.1/24
    set interfaces irb unit 20 family inet address 10.207.22.1/24
    set interfaces irb unit 30 family inet address 10.207.62.1/24

    set access address-assignment pool dhcp_pool_maint family inet network 10.207.22.0/24
    set access address-assignment pool dhcp_pool_maint family inet range r1 low 10.207.22.101
    set access address-assignment pool dhcp_pool_maint family inet range r1 high 10.207.22.125
    set access address-assignment pool dhcp_pool_maint family inet dhcp-attributes maximum-lease-time 2419200
    set access address-assignment pool dhcp_pool_maint family inet dhcp-attributes name-server 10.207.22.1
    set access address-assignment pool dhcp_pool_maint family inet dhcp-attributes router 10.207.22.1


    set vlans Corp vlan-id 30
    set vlans Corp l3-interface irb.30
    set vlans Maintenance vlan-id 20
    set vlans Maintenance l3-interface irb.20
    set vlans NetworkManagement vlan-id 10
    set vlans NetworkManagement l3-interface irb.10



  • 2.  RE: Multiple VLAN gateways on physical interface
    Best Answer

    Posted 10-11-2019 18:44

    Hi,

     

    The configuration looks fine

     

    L3 Interfaces and association with a sec-zone:
    
    	set interfaces irb unit 10 family inet address 10.207.8.1/24
    	set interfaces irb unit 20 family inet address 10.207.22.1/24
    	set interfaces irb unit 30 family inet address 10.207.62.1/24
    	
    	set security zones security-zone NetworkManagement interfaces irb.10 host-inbound-traffic system-services ping 
    	set security zones security-zone NetworkManagement interfaces irb.10 host-inbound-traffic system-services ntp
    	set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services ping 
    	set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services ntp
    	set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services https
    	set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services ssh
    
    Vlans and association with its L3 interface:
    
    	set vlans Corp vlan-id 30
    	set vlans Corp l3-interface irb.30
    
    	set vlans Maintenance vlan-id 20
    	set vlans Maintenance l3-interface irb.20
    
    	set vlans NetworkManagement vlan-id 10
    	set vlans NetworkManagement l3-interface irb.10
    	
    Trunk facing the switch:
    
    	set interfaces ge-0/0/6 unit 0 family ethernet-switching interface-mode trunk
    	set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members all
    
    Policies for permitting traffic between Maintenance and NetworkManagement zones:
    
    	set security policies from-zone NetworkManagement to-zone Maintenance policy NM-MAINT match source-address NM_SUBNET
    	set security policies from-zone NetworkManagement to-zone Maintenance policy NM-MAINT match destination-address MAINT_SUBNET
    	set security policies from-zone NetworkManagement to-zone Maintenance policy NM-MAINT match application any
    	set security policies from-zone NetworkManagement to-zone Maintenance policy NM-MAINT then permit
    	set security policies from-zone Maintenance to-zone NetworkManagement policy MAINT-NM match source-address MAINT_SUBNET
    	set security policies from-zone Maintenance to-zone NetworkManagement policy MAINT-NM match destination-address NM_SUBNET
    	set security policies from-zone Maintenance to-zone NetworkManagement policy MAINT-NM match application any
    	set security policies from-zone Maintenance to-zone NetworkManagement policy MAINT-NM then permit
    	
    DHCP for the Maintenance zone:
    
    	set system services dhcp-local-server group dhcp_maint interface irb.20
    
    	set access address-assignment pool dhcp_pool_maint family inet network 10.207.22.0/24
    	set access address-assignment pool dhcp_pool_maint family inet range r1 low 10.207.22.101
    	set access address-assignment pool dhcp_pool_maint family inet range r1 high 10.207.22.125
    	set access address-assignment pool dhcp_pool_maint family inet dhcp-attributes maximum-lease-time 2419200
    	set access address-assignment pool dhcp_pool_maint family inet dhcp-attributes name-server 10.207.22.1
    	set access address-assignment pool dhcp_pool_maint family inet dhcp-attributes router 10.207.22.1

     

    The above configuration will provide you with more scalability ( if needed in the future) but at the end of the day if you want to use a single interface with "sub-interfaces" and vlan-tagging it is also valid. It really depends on your current and future needs. For instance if you want to save ports, then using a single interface as a "Router-on-stick" will work just fine.

     

    Can you check if your switch is configured for switching mode:

     

             >show ethernet-switching global-information

     

    Also it will be good to see the configuration on the switch-port and create a L3 interface on that switch and confirm IP connectivity with the SRX. Also what is the version of your SRX?

     

     



  • 3.  RE: Multiple VLAN gateways on physical interface

    Posted 10-11-2019 20:28

    Thanks, I dont know why but after creating the config with the sub interfaces and then wiping that and going back to the irb config after reading your reply, everything is working now.  Maybe a command got missed the first time that I didn't notice.

     

    But I am thankful that I at least know my approach is valid.  Thanks



  • 4.  RE: Multiple VLAN gateways on physical interface

    Posted 10-11-2019 21:32

    Dodo,

     

    You are very welcome, Im glad it is working now.