I am trying to use an SRX 340 gateway to terminate multiple VLANs coming in from a switch on a VLAN trunk (tagged), and allow routing between two of them but not another. The SRX does not need to switch the VLANs between any other ports. I also serve up dhcp on one of the vlan interfaces.
I tried to do this the way I thought it should be done, with irb interfaces but I could not get it working. I then tried it a different way using vlan sub-interfaces and I was able to get it working. My understanding is that using sub interfaces is depricated so I want to get it working the proper way.
So my first question is how should I be approaching this. Is using irb interfaces the right way to do it, or since I don't actually need to switch should I be doing it a different way? The config I created for irb is as follows and I was not able to see arp requests of anything coming from the switch on any VLANs.
SRX firmware version is junos-srxsme-15.1X49-D160.2
set system host-name TEST_Q
set system time-zone GMT
set system services ssh
set system services telnet
set system services dhcp-local-server group dhcp_maint interface irb.20
set system services web-management http interface fxp0.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security address-book global address NM_SUBNET 10.207.8.0/24
set security address-book global address MAINT_SUBNET 10.207.22.0/24
set security address-book global address CORP_SUBNET 10.205.0.0/16
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone NetworkManagement to-zone Maintenance policy NM-MAINT match source-address NM_SUBNET
set security policies from-zone NetworkManagement to-zone Maintenance policy NM-MAINT match destination-address MAINT_SUBNET
set security policies from-zone NetworkManagement to-zone Maintenance policy NM-MAINT match application any
set security policies from-zone NetworkManagement to-zone Maintenance policy NM-MAINT then permit
set security policies from-zone Maintenance to-zone NetworkManagement policy MAINT-NM match source-address MAINT_SUBNET
set security policies from-zone Maintenance to-zone NetworkManagement policy MAINT-NM match destination-address NM_SUBNET
set security policies from-zone Maintenance to-zone NetworkManagement policy MAINT-NM match application any
set security policies from-zone Maintenance to-zone NetworkManagement policy MAINT-NM then permit
set security policies default-policy deny-all
set security zones security-zone NetworkManagement interfaces irb.10 host-inbound-traffic system-services ping
set security zones security-zone NetworkManagement interfaces irb.10 host-inbound-traffic system-services ntp
set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services ping
set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services ntp
set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services https
set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services ssh
set security zones security-zone CORP interfaces irb.30 host-inbound-traffic system-services ping
set interfaces fxp0 unit 0 family inet address 192.168.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.255.126/31
set interfaces ge-0/0/6 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members all
set interfaces irb unit 10 family inet address 10.207.8.1/24
set interfaces irb unit 20 family inet address 10.207.22.1/24
set interfaces irb unit 30 family inet address 10.207.62.1/24
set access address-assignment pool dhcp_pool_maint family inet network 10.207.22.0/24
set access address-assignment pool dhcp_pool_maint family inet range r1 low 10.207.22.101
set access address-assignment pool dhcp_pool_maint family inet range r1 high 10.207.22.125
set access address-assignment pool dhcp_pool_maint family inet dhcp-attributes maximum-lease-time 2419200
set access address-assignment pool dhcp_pool_maint family inet dhcp-attributes name-server 10.207.22.1
set access address-assignment pool dhcp_pool_maint family inet dhcp-attributes router 10.207.22.1
set vlans Corp vlan-id 30
set vlans Corp l3-interface irb.30
set vlans Maintenance vlan-id 20
set vlans Maintenance l3-interface irb.20
set vlans NetworkManagement vlan-id 10
set vlans NetworkManagement l3-interface irb.10