SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX VLAN Logical Interfaces

    Posted 03-01-2019 11:48

    Hello,

     

    I have a few switches connected in an RSTP ethernet ring.  I would like to use Juniper SRX 340 as my gateway for all the applications and to permit and deny routing between the vlans on the ring.  I will be using two SRXs and VRRP to elect the master gateway.

     

    I have 8 applications, each on a separate VLAN and subnet.  The Junipers needs to be able to participate in each VLAN, and have a logical IP address for each VLAN (as well as a shared VRRP address for each subnet that is available on both).

     

    I think I know how to do most of this however I haven't been able to find examples of creating VLAN interfaces that aren't attached to physical interfaces.  So hopefully someone can tell me how to do that part only.  So I will have two physical ports that are trunk ports and members of each VLAN, then 8 logical interfaces with IP addresses 1 for each VLAN.  Then all traffic destined for outside networks will be routed out 1 of 2 uplink ports to other networks. 

     

    If I can get info on how to create logical L3 interfaces attached to the VLAN without a physical interface I can probably figure out all the VRRP and other stuff myself.


    Thanks



  • 2.  RE: SRX VLAN Logical Interfaces
    Best Answer

    Posted 03-01-2019 12:36


    1. Define vlans
    set vlan-10 vlan-id 10
    set vlan-10 l3-interface irb.10;
    set vlan-20 vlan-id 20
    set vlan-20 l3-interface irb.20;
    set vlan-30 vlan-id 30
    set vlan-30 l3-interface irb.30;
    set vlan-40 vlan-id 40
    set vlan-40 l3-interface irb.40;
    set vlan-50 vlan-id 50
    set vlan-50 l3-interface irb.50;
    set vlan-60 vlan-id 60
    set vlan-60 l3-interface irb.60;
    set vlan-70 vlan-id 70
    set vlan-70 l3-interface irb.70;
    set vlan-80 vlan-id 80
    set vlan-80 l3-interface irb.80;

    2. Configure l3 interface for each vlans.
    set interfaces irb unit 10 family inet address 192.168.10.1/24
    set interfaces irb unit 20 family inet address 192.168.20.1/24
    set interfaces irb unit 30 family inet address 192.168.30.1/24
    set interfaces irb unit 40 family inet address 192.168.40.1/24
    set interfaces irb unit 50 family inet address 192.168.50.1/24
    set interfaces irb unit 60 family inet address 192.168.60.1/24
    set interfaces irb unit 70 family inet address 192.168.70.1/24
    set interfaces irb unit 80 family inet address 192.168.80.1/24

    3. Configure the interface as trunks and allow all the vlans or only the configured 8 vlans to the interface
    set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode trunk
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members [all or add 8 vlan-name]

    4. Configure security zone and add the irb interfaces to it. You may use same zone or use different zone for each vlan

    set security zones security-zone trust interfaces irb.10
    set security zones security-zone trust interfaces irb.20
    set security zones security-zone trust interfaces irb.30
    set security zones security-zone trust interfaces irb.40
    set security zones security-zone trust interfaces irb.50
    set security zones security-zone trust interfaces irb.60
    set security zones security-zone trust interfaces irb.70
    set security zones security-zone trust interfaces irb.80

    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all

     

    5. Configure security policies. [as per this config trust to trust]

    6. Configure vrrp and other stuff

     



  • 3.  RE: SRX VLAN Logical Interfaces

    Posted 03-01-2019 13:22

    This appears to work however I had to put the keyword vlans after the set command.

     

    However, all the irb interfaces are in down state.  How do I bring them up?



  • 4.  RE: SRX VLAN Logical Interfaces

    Posted 03-01-2019 18:00

    In order for an irb interface to come up at least one physical interface in the same vlan has to be link up. 

     



  • 5.  RE: SRX VLAN Logical Interfaces

    Posted 03-01-2019 19:16

    There is a physical interface trunked vlan and it is up.  All vlans are on this interface.



  • 6.  RE: SRX VLAN Logical Interfaces

     
    Posted 03-01-2019 20:00

    Hi,

     

    I did a quick lab test. Interface was down after the commit. I had to reboot the firewall to get the irb interface up since I was switching from route mode to mix mode.

     

    root@srx# commit
    warning: Interfaces are changed from route mode to mix mode. Please use the command request system reboot on current node or all nodes in case of HA cluster!
    commit complete

     

    Configuration:

    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan100
    set interfaces irb unit 100 family inet address 192.168.100.10/24
    set vlans vlan100 vlan-id 100
    set vlans vlan100 l3-interface irb.100

     

    Interface Status:

    root@srx> show interfaces irb terse
    Interface Admin Link Proto Local Remote
    irb up up
    irb.100 up up inet 192.168.100.10/2

     

    Which platform and version are you using?

     

    I hope this helps.

     

    Regards,

     

    Vikas



  • 7.  RE: SRX VLAN Logical Interfaces

    Posted 03-04-2019 08:29

    OK, I got confused between ge-0/0/0 and ge-0/0/1.

     

    They are up now



  • 8.  RE: SRX VLAN Logical Interfaces

    Posted 03-04-2019 09:50

    I must be missing something here.  I cannot add an IRB interface to a security zone.  Not sure how I can route between subnets without a zone, but if I can route between different IRBs without a zone I don't know how I can prevent routing between some VLANs.

     

    My Junos version is JUNOS 15.1X49-D35



  • 9.  RE: SRX VLAN Logical Interfaces

    Posted 03-04-2019 10:29

    Intergrated routing and bridging (IRB) feature is introduced from Junos OS 15.1X49-D40 onwards. Please upgrade to D40 or higher version. Recommended to use  JTAC recommended version (Refer this link: https://kb.juniper.net/InfoCenter/index?page=content&id=kb21476#srx_series)

    https://apps.juniper.net/feature-explorer/feature-info.html?fKey=2219&fn=Integrated%20routing%20and%20bridging%20(IRB)

    IRB configuration: https://www.juniper.net/documentation/en_US/release-independent/solutions/information-products/pathway-pages/ethernet_switching_srx_app_note.pdf

     

     



  • 10.  RE: SRX VLAN Logical Interfaces

    Posted 03-05-2019 08:06

    Thanks, I noow have updated firmare and things are starting to work as they should.  I still have two issues I can't figure out though.  At the moment I have two SRX 340 firewalls.  THey are connected together via a vlan trunk (on all vlans).  There is a Maintenance vlan configured that should be routable to all other vlans and VRRP providing a gateway IP for that VLAN.  I also have a DHCP server configured on that vlan.

     

    I have a laptop connected to a port on SRX 2 and that port is also on the maintenance vlan.  I get an IP address without issue and can ping the l3 irb IP address on both SRX switches.  

     

    Problem 1 - I cannot ping the VRRP address.  VRRP appears to work, one is in master and one is in backup mode but I cannot ping the shared IP.  The accept-data flag is set.

     

    Problem 2 - I have setup policies between vlans so my maintenance vlan can communicate with the other VLANs, however I cannot ping any vlan interfaces on SRX 1 (which is the VRRP master) from the laptop.  The policies are set and incoming ping services are allowed on the interfaces.

     

    Hopefully someone can help me solve these two issues.  They may be related?  I have included my configs below.  They are almost the same, just different IP addresses, VRRP config and DHCP pools.

     

    SRX1:

    set version 15.1X49-D45
    set system host-name OPS-KOC-A
    set system time-zone GMT
    set system root-authentication encrypted-password "$5$jAAwwN6v$Cd4FbXRkBh4d4hK2LxLyzUQE3DRf5HuDuXZUO936fr5"
    set system name-server 208.67.222.222
    set system name-server 208.67.220.220
    set system name-resolution no-resolve-on-input
    set system login user admin uid 2002
    set system login user admin class super-user
    set system login user admin authentication encrypted-password "$5$trBTfuvQ$fkkoVuImv1MC3mI6cH0EfsRmpkX5KmX8JdB2DRMu7Q."
    set system services ssh
    set system services telnet
    set system services dhcp-local-server group g1 interface irb.20
    set system services web-management http interface fxp0.0
    set system syslog archive size 100k
    set system syslog archive files 3
    set system syslog user * any emergency
    set system syslog file messages any critical
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands error
    set system max-configurations-on-flash 5
    set system max-configuration-rollbacks 5
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set system ntp server us.ntp.pool.org
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security policies from-zone Maintenance to-zone NetworkManagement policy M-NM match source-address any
    set security policies from-zone Maintenance to-zone NetworkManagement policy M-NM match destination-address any
    set security policies from-zone Maintenance to-zone NetworkManagement policy M-NM match application any
    set security policies from-zone Maintenance to-zone NetworkManagement policy M-NM then permit
    set security policies from-zone NetworkManagement to-zone Maintenance policy M-NM match source-address any
    set security policies from-zone NetworkManagement to-zone Maintenance policy M-NM match destination-address any
    set security policies from-zone NetworkManagement to-zone Maintenance policy M-NM match application any
    set security policies from-zone NetworkManagement to-zone Maintenance policy M-NM then permit
    set security policies from-zone Maintenance to-zone GeneralDeviceManagement policy M-GDM match source-address any
    set security policies from-zone Maintenance to-zone GeneralDeviceManagement policy M-GDM match destination-address any
    set security policies from-zone Maintenance to-zone GeneralDeviceManagement policy M-GDM match application any
    set security policies from-zone Maintenance to-zone GeneralDeviceManagement policy M-GDM then permit
    set security policies from-zone GeneralDeviceManagement to-zone Maintenance policy M-GDM match source-address any
    set security policies from-zone GeneralDeviceManagement to-zone Maintenance policy M-GDM match destination-address any
    set security policies from-zone GeneralDeviceManagement to-zone Maintenance policy M-GDM match application any
    set security policies from-zone GeneralDeviceManagement to-zone Maintenance policy M-GDM then permit
    set security policies from-zone Maintenance to-zone EngineeringAccess policy M-EA match source-address any
    set security policies from-zone Maintenance to-zone EngineeringAccess policy M-EA match destination-address any
    set security policies from-zone Maintenance to-zone EngineeringAccess policy M-EA match application any
    set security policies from-zone Maintenance to-zone EngineeringAccess policy M-EA then permit
    set security policies from-zone EngineeringAccess to-zone Maintenance policy M-EA match source-address any
    set security policies from-zone EngineeringAccess to-zone Maintenance policy M-EA match destination-address any
    set security policies from-zone EngineeringAccess to-zone Maintenance policy M-EA match application any
    set security policies from-zone EngineeringAccess to-zone Maintenance policy M-EA then permit
    set security zones security-zone NetworkManagement host-inbound-traffic system-services all
    set security zones security-zone NetworkManagement interfaces irb.10 host-inbound-traffic system-services all
    set security zones security-zone NetworkManagement interfaces irb.10 host-inbound-traffic protocols all
    set security zones security-zone Maintenance host-inbound-traffic system-services all
    set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services all
    set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic protocols all
    set security zones security-zone IonMeters host-inbound-traffic system-services all
    set security zones security-zone IonMeters interfaces irb.13 host-inbound-traffic system-services all
    set security zones security-zone IonMeters interfaces irb.13 host-inbound-traffic protocols all
    set security zones security-zone GeneralDeviceManagement host-inbound-traffic system-services all
    set security zones security-zone GeneralDeviceManagement interfaces irb.9 host-inbound-traffic system-services all
    set security zones security-zone GeneralDeviceManagement interfaces irb.9 host-inbound-traffic protocols all
    set security zones security-zone EngineeringAccess host-inbound-traffic system-services all
    set security zones security-zone EngineeringAccess interfaces irb.21 host-inbound-traffic system-services all
    set security zones security-zone EngineeringAccess interfaces irb.21 host-inbound-traffic protocols all
    set security zones security-zone DFR host-inbound-traffic system-services all
    set security zones security-zone DFR interfaces irb.14 host-inbound-traffic system-services all
    set security zones security-zone DFR interfaces irb.14 host-inbound-traffic protocols all
    set security zones security-zone Internal
    set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode trunk
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members all
    set interfaces ge-0/0/2 unit 0 family inet
    set interfaces ge-0/0/3 unit 0 family inet
    set interfaces ge-0/0/4 unit 0 family inet
    set interfaces ge-0/0/5 unit 0 family inet
    set interfaces ge-0/0/6 unit 0 family inet
    set interfaces ge-0/0/7 unit 0 family inet
    set interfaces fxp0 unit 0 family inet address 192.168.1.1/24
    set interfaces irb unit 9 family inet address 10.207.10.3/23
    set interfaces irb unit 10 family inet address 10.207.8.3/24
    set interfaces irb unit 13 family inet address 10.207.50.3/23
    set interfaces irb unit 14 family inet address 10.207.48.3/23
    set interfaces irb unit 20 family inet address 10.207.22.3/24 vrrp-group 20 virtual-address 10.207.22.1
    set interfaces irb unit 20 family inet address 10.207.22.3/24 vrrp-group 20 priority 200
    set interfaces irb unit 20 family inet address 10.207.22.3/24 vrrp-group 20 accept-data
    set interfaces irb unit 20 family inet address 10.207.22.3/24 vrrp-group 20 track interface irb.20 priority-cost 200
    set interfaces irb unit 21 family inet address 10.207.24.3/21
    set routing-options static route 0.0.0.0/0 next-hop 10.207.22.3
    set protocols l2-learning global-mode switching
    set access address-assignment pool p1 family inet network 10.207.22.0/24
    set access address-assignment pool p1 family inet range r1 low 10.207.22.101
    set access address-assignment pool p1 family inet range r1 high 10.207.22.125
    set access address-assignment pool p1 family inet dhcp-attributes maximum-lease-time 2419200
    set access address-assignment pool p1 family inet dhcp-attributes name-server 10.207.22.1
    set access address-assignment pool p1 family inet dhcp-attributes router 10.207.22.1
    set vlans Corp vlan-id 30
    set vlans Corp l3-interface irb.30
    set vlans DFR vlan-id 14
    set vlans DFR l3-interface irb.14
    set vlans Engineering vlan-id 21
    set vlans Engineering l3-interface irb.21
    set vlans GeneralDeviceManagement vlan-id 9
    set vlans GeneralDeviceManagement l3-interface irb.9
    set vlans Ion vlan-id 13
    set vlans Ion l3-interface irb.13
    set vlans Maintenance vlan-id 20
    set vlans Maintenance l3-interface irb.20
    set vlans NetworkManagement vlan-id 10
    set vlans NetworkManagement l3-interface irb.10
    set vlans Phones vlan-id 31
    set vlans Phones l3-interface irb.31
    set vlans VHF vlan-id 16
    set vlans VHF l3-interface irb.16
    set vlans Video vlan-id 32
    set vlans Video l3-interface irb.32

     

    SRX2

    set version 15.1X49-D45
    set system host-name SCC
    set system time-zone GMT
    set system root-authentication encrypted-password "$5$49q.90sE$fMyWz9qOLJzItFpRwrs6dIzKkNyIRdzVfpt4yXypD64"
    set system name-server 208.67.222.222
    set system name-server 208.67.220.220
    set system name-resolution no-resolve-on-input
    set system login user admin uid 2000
    set system login user admin class super-user
    set system login user admin authentication encrypted-password "$5$AO4gzXBq$iBIwPMvx7GthLZJzKjBR5TfIEXFZXIFjYBwlgyAult8"
    set system services ssh
    set system services telnet
    set system services dhcp-local-server group g1 interface irb.20
    set system services web-management http
    set system syslog archive size 100k
    set system syslog archive files 3
    set system syslog user * any emergency
    set system syslog file messages any critical
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands error
    set system max-configurations-on-flash 5
    set system max-configuration-rollbacks 5
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set system ntp server us.ntp.pool.org
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security policies from-zone Maintenance to-zone NetworkManagement policy M-NM match source-address any
    set security policies from-zone Maintenance to-zone NetworkManagement policy M-NM match destination-address any
    set security policies from-zone Maintenance to-zone NetworkManagement policy M-NM match application any
    set security policies from-zone Maintenance to-zone NetworkManagement policy M-NM then permit
    set security policies from-zone NetworkManagement to-zone Maintenance policy M-NM match source-address any
    set security policies from-zone NetworkManagement to-zone Maintenance policy M-NM match destination-address any
    set security policies from-zone NetworkManagement to-zone Maintenance policy M-NM match application any
    set security policies from-zone NetworkManagement to-zone Maintenance policy M-NM then permit
    set security policies from-zone Maintenance to-zone GeneralDeviceManagement policy M-GDM match source-address any
    set security policies from-zone Maintenance to-zone GeneralDeviceManagement policy M-GDM match destination-address any
    set security policies from-zone Maintenance to-zone GeneralDeviceManagement policy M-GDM match application any
    set security policies from-zone Maintenance to-zone GeneralDeviceManagement policy M-GDM then permit
    set security policies from-zone GeneralDeviceManagement to-zone Maintenance policy M-GDM match source-address any
    set security policies from-zone GeneralDeviceManagement to-zone Maintenance policy M-GDM match destination-address any
    set security policies from-zone GeneralDeviceManagement to-zone Maintenance policy M-GDM match application any
    set security policies from-zone GeneralDeviceManagement to-zone Maintenance policy M-GDM then permit
    set security policies from-zone Maintenance to-zone EngineeringAccess policy M-EA match source-address any
    set security policies from-zone Maintenance to-zone EngineeringAccess policy M-EA match destination-address any
    set security policies from-zone Maintenance to-zone EngineeringAccess policy M-EA match application any
    set security policies from-zone Maintenance to-zone EngineeringAccess policy M-EA then permit
    set security policies from-zone EngineeringAccess to-zone Maintenance policy M-EA match source-address any
    set security policies from-zone EngineeringAccess to-zone Maintenance policy M-EA match destination-address any
    set security policies from-zone EngineeringAccess to-zone Maintenance policy M-EA match application any
    set security policies from-zone EngineeringAccess to-zone Maintenance policy M-EA then permit
    set security zones security-zone Internal
    set security zones security-zone NetworkManagement host-inbound-traffic system-services all
    set security zones security-zone NetworkManagement interfaces irb.10 host-inbound-traffic system-services all
    set security zones security-zone NetworkManagement interfaces irb.10 host-inbound-traffic protocols all
    set security zones security-zone Maintenance host-inbound-traffic system-services all
    set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services all
    set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic protocols all
    set security zones security-zone IonMeters host-inbound-traffic system-services all
    set security zones security-zone IonMeters interfaces irb.13 host-inbound-traffic system-services all
    set security zones security-zone IonMeters interfaces irb.13 host-inbound-traffic protocols all
    set security zones security-zone GeneralDeviceManagement host-inbound-traffic system-services all
    set security zones security-zone GeneralDeviceManagement interfaces irb.9 host-inbound-traffic system-services all
    set security zones security-zone GeneralDeviceManagement interfaces irb.9 host-inbound-traffic protocols all
    set security zones security-zone EngineeringAccess host-inbound-traffic system-services all
    set security zones security-zone EngineeringAccess interfaces irb.21 host-inbound-traffic system-services all
    set security zones security-zone EngineeringAccess interfaces irb.21 host-inbound-traffic protocols all
    set security zones security-zone DFR host-inbound-traffic system-services all
    set security zones security-zone DFR interfaces irb.14 host-inbound-traffic system-services all
    set security zones security-zone DFR interfaces irb.14 host-inbound-traffic protocols all
    set security zones security-zone trust
    set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members Maintenance
    set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode trunk
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members all
    set interfaces ge-0/0/2 unit 0 family inet
    set interfaces ge-0/0/3 unit 0 family inet
    set interfaces ge-0/0/4 unit 0 family inet
    set interfaces ge-0/0/5 unit 0 family inet
    set interfaces ge-0/0/6 unit 0 family inet
    set interfaces ge-0/0/7 unit 0 family inet
    set interfaces ge-0/0/9 unit 0 family inet
    set interfaces fxp0 unit 0 family inet address 192.168.1.2/24
    set interfaces irb unit 9 family inet address 10.207.10.5/23
    set interfaces irb unit 10 family inet address 10.207.8.5/24
    set interfaces irb unit 13 family inet address 10.207.50.5/23
    set interfaces irb unit 14 family inet address 10.207.48.5/23
    set interfaces irb unit 20 family inet address 10.207.22.5/24 vrrp-group 20 virtual-address 10.207.22.1
    set interfaces irb unit 20 family inet address 10.207.22.5/24 vrrp-group 20 priority 100
    set interfaces irb unit 20 family inet address 10.207.22.5/24 vrrp-group 20 accept-data
    set interfaces irb unit 20 family inet address 10.207.22.5/24 vrrp-group 20 track interface irb.20 priority-cost 100
    set interfaces irb unit 21 family inet address 10.207.24.5/21
    set routing-options static route 0.0.0.0/0 next-hop 10.207.22.5
    set protocols l2-learning global-mode switching
    set access address-assignment pool p1 family inet network 10.207.22.0/24
    set access address-assignment pool p1 family inet range r1 low 10.207.22.126
    set access address-assignment pool p1 family inet range r1 high 10.207.22.150
    set access address-assignment pool p1 family inet dhcp-attributes maximum-lease-time 2419200
    set access address-assignment pool p1 family inet dhcp-attributes name-server 10.207.22.1
    set access address-assignment pool p1 family inet dhcp-attributes router 10.207.22.1
    set vlans Corp vlan-id 30
    set vlans Corp l3-interface irb.30
    set vlans DFR vlan-id 14
    set vlans DFR l3-interface irb.14
    set vlans Engineering vlan-id 21
    set vlans Engineering l3-interface irb.21
    set vlans GeneralDeviceManagement vlan-id 9
    set vlans GeneralDeviceManagement l3-interface irb.9
    set vlans Ion vlan-id 13
    set vlans Ion l3-interface irb.13
    set vlans Maintenance vlan-id 20
    set vlans Maintenance l3-interface irb.20
    set vlans NetworkManagement vlan-id 10
    set vlans NetworkManagement l3-interface irb.10
    set vlans Phones vlan-id 31
    set vlans Phones l3-interface irb.31
    set vlans VHF vlan-id 16
    set vlans VHF l3-interface irb.16
    set vlans Video vlan-id 32
    set vlans Video l3-interface irb.32