SRX

Expand all | Collapse all

Reth with vlan-tagging

Jump to Best Answer
  • 1.  Reth with vlan-tagging

    Posted 09-04-2019 23:28

    Hello,

     

    I would like to know if u add vlan-tagging on Reth, do u still need to configure vlans on SRX and add them to l3?.

     

    example:

    reth1 {
    description sw01;
    vlan-tagging;
    redundant-ether-options {
    redundancy-group 1;
    lacp {
    active;
    periodic slow;
    }
    }
    unit 10 {
    description "sales";
    vlan-id 10;
    family inet {
    address 192.168.1.1/24;
    }
    }
    unit 20 {
    description "HRM";
    vlan-id 20;
    family inet {
    address 192.168.2.1/24;
    }
    }
    unit 100 {
    description "mgmt";
    vlan-id 100;
    family inet {
    address 192.168.3.1/27 {
    primary;
    }

     

    Do you still need to do this:

     

    vlans {

    v10 {
    description sales network;
    vlan-id 10;
    l3-interface vlan.10;
    }

    v20 {
    description  hrm network;
    vlan-id 20;
    l3-interface vlan.20;
    }

    v100 {
    description management-network;
    vlan-id 100;
    l3-interface vlan.100;
    }

    ]



  • 2.  RE: Reth with vlan-tagging
    Best Answer

    Posted 09-04-2019 23:40

    Hi Suli,

     

    Your reth interface configuration looks perfect.  No need to configure separate VLANs via the L3 interface.

     

    VLAN tagging and VLAN-ID in the reth interface is sufficient.



  • 3.  RE: Reth with vlan-tagging

    Posted 09-04-2019 23:41

    Thnx again!.



  • 4.  RE: Reth with vlan-tagging

    Posted 09-05-2019 01:40

    Hello,

     

    I do have another question regarding reth trunking towards the switches. I have patched application server on the switch on vlan 50 and trunked this vlan towards firewall, and in the firewall i have tagged the vlan on reth1. Also i have add a security zone for this application server, but know i can not ping from the switch/firewall towards the application server. What do i miss in this configuration. I think a security policy for the apllicatio server?.

     

    server > switch >firewall01/02>internet

     

    SRX config:

    reth0 {
    description "switch - internet";
    vlan-tagging;
    redundant-ether-options {
    redundancy-group 1;
    lacp {
    active;
    periodic slow;
    }
    }
    unit 200 {
    description "public ip-range";
    vlan-id 200;
    family inet {
    address 6.100.10.71/29 {
    primary;
    preferred;
    }
    }
    }
    }

     

    reth1 {
    description switch;
    vlan-tagging;
    redundant-ether-options {
    redundancy-group 1;
    lacp {
    active;
    periodic slow;
    }
    }
    unit 50 {
    description "Application server";
    vlan-id 50;
    family inet {
    address 192.168.5.1/24;

     

    trunk towards switch:

    interfaces {
    ge-0/0/2 {
    description "switch ge-0/0/0";
    gigether-options {
    redundant-parent reth1;
    }
    }
    ge-0/0/3 {
    description "switch ge-1/0/0";
    gigether-options {
    redundant-parent reth1;

    }

    }

    ge-0/0/4 {
    description "switch ge-0/0/46 - internet";
    gigether-options {
    redundant-parent reth0;

    }

    }

    ge-5/0/2 {
    description "switch ge-2/0/0";
    gigether-options {
    redundant-parent reth1;
    }
    }
    ge-5/0/3 {
    description "switch ge-3/0/0";
    gigether-options {
    redundant-parent reth1;
    }
    }

    ge-5/0/4 {
    description "switch ge-2/0/46 - internet";
    gigether-options {
    redundant-parent reth0;

     

    Security Zone/policy:

    security {

    policies {
    from-zone untrust to-zone trust {
    policy allow-all {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    zones {
    security-zone application {
    interfaces {
    reth1.50 {
    host-inbound-traffic {
    system-services {
    all;
    }
    }
    }

    security-zone trust {
    host-inbound-traffic {
    system-services {
    all;
    }
    }
    interfaces {
    reth0.200;
    }
    }
    }
    }

    security-zone untrust {
    host-inbound-traffic {
    system-services {
    all;
    }
    }
    interfaces {
    ge-0/0/7.2504; (isp)
    ge-5/0/7.3504; (ISP)
    }

     

     

    Switch01:

    ge-0/0/6 {
    description "Application server";
    unit 0 {
    family ethernet-switching {
    vlan {
    members 50;
    }
    }
    }
    }

    ae0 {
    description "fw - internet";
    aggregated-ether-options {
    lacp {
    active;
    periodic slow;
    }
    }
    unit 0 {
    family ethernet-switching {
    interface-mode trunk;
    vlan {
    members 200;
    }
    }
    }
    }

    ae1 {
    description fw01;
    aggregated-ether-options {
    lacp {
    active;
    periodic slow;
    }
    }
    unit 0 {
    family ethernet-switching {
    interface-mode trunk;
    vlan {
    members 50;
    }
    }
    }
    }
    ae2 {
    description fw02;
    aggregated-ether-options {
    lacp {
    active;
    }
    }
    unit 0 {
    family ethernet-switching {
    interface-mode trunk;
    vlan {
    members 50;
    }
    }
    }

     

    vlans {
    v50 {
    description Application;
    vlan-id 50;

     

    v200 {
    description Internet;
    vlan-id 200;

     

     

    thank u in advance.

     



  • 5.  RE: Reth with vlan-tagging

     
    Posted 09-05-2019 03:04

    You will need to add the interfaces to the desired security zone.

     

    set security zones security-zone NAME interfaces reth0.200

     

    Then allow ping in that zone for traffic ending at the srx

     

    set security zones security-zone NAME  host-inbound-traffic system-services ping

     

    For traffic passing through the srx policies are needed

    show security policy from-zone NAME to-zone NAME

     



  • 6.  RE: Reth with vlan-tagging

    Posted 09-06-2019 00:23

     Thank u for the exaplaination. I have made some changes in security zones and policies. Is working now.