Hello Mr Puluka,
Thanks for the response, very much appreciated (like ice cold water to a dehydrated man in the desert!). I came to the same realization that I didnt need Routing Instances, as I had 5 subnets with their own VLANs and and I wanted VLAN 1 <--communicate with--> VLAN2,VLAN3,VLAN4,VLAN5 but, not have the VLAN2,3,4,5 communicate with themselves. Going down the RI approach meant I would need an Interface for VLAN 1 in each of the RI set up for each of the other VLANs, I could not get the same interface in Multiple RIs and could not have multiple interfaces in VLAN 1 using the same IP address hence.
I have now used just Routing Virtual Interfaces for each VLAN, set up Zones for each VLAN, with specific Security policies with corresponding host-inbound-traffic rules. This works perfectly! just as you have suggested so I will be awarding you this post! I do have one small question though....please.
I have set up this architecture, as referenced below, but cannot seem to ping from Laptop to Brocade switch VLAN interfaces or the servers connected to the Brocade, but from the Juniper I can ping the Brocade switch VLAN interfaces, and can also ping the Laptop, my config is enclosed below, not sure what I am mmissing to be able to achieve this.
version 12.1X45.5;
system {
root-authentication {
encrypted-password "encrypted-password"; ## SECRET-DATA
}
name-server {
8.8.8.8;
8.8.8.8;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0;
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members LAPTOPS;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ vlan-trust AREA0 ];
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ vlan-trust AREA1 ];
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ vlan-trust AREA2 ];
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ vlan-trust AREA3 ];
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
unit 32 {
family inet {
address 192.168.32.1/24;
}
}
unit 33 {
family inet {
address 192.168.33.1/24;
}
}
unit 34 {
family inet {
address 192.168.34.1/24;
}
}
unit 35 {
family inet {
address 192.168.35.1/24;
}
}
unit 36 {
family inet {
address 192.168.36.1/24;
}
}
}
}
routing-options {
static {
route 192.168.33.0/24 next-hop 192.168.33.2;
route 192.168.208.0/24 next-hop 192.168.33.2;
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Area to-zone Area {
policy Area-to-Area {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
security-zone Area {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
vlan.32;
vlan.33;
vlan.34;
vlan.35;
vlan.36;
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
ge-0/0/2.0;
ge-0/0/3.0;
ge-0/0/4.0;
ge-0/0/5.0;
}
}
}
}
vlans {
AREA0 {
vlan-id 33;
l3-interface vlan.33;
}
AREA1 {
vlan-id 34;
l3-interface vlan.34;
}
AREA2 {
vlan-id 35;
l3-interface vlan.35;
}
AREA3 {
vlan-id 36;
l3-interface vlan.36;
}
LAPTOPS {
vlan-id 32;
l3-interface vlan.32;
}
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
Laptop <-- access port --> Juniper SRX 240 <-- trunk port --> Cisco Layer 2 <-- trunk port --> Brocade Switch <-- access port --> Servers