Routing

Expand all | Collapse all

SRX Inter-VLAN Routing

Jump to Best Answer
  • 1.  SRX Inter-VLAN Routing

    Posted 05-01-2018 05:31

    Hello All,

     

    I am new to Juniper, but have worked with a host of other switches/routers. I am trying to achieve a basic inter-vlan rouuting but seem to be missing crucial steps to achieve this.

    Scenario:

    Desktop environment <-- --> Server1, Server2, Server3, Server4 environments. [I need to be able to route from a Desktop VLAN to the 4 server VLANs, but not allow the 4 vlans to communicate with themselves but only with the desktop vlan]

     

    What I have tried:

    - Create 5 VLANs for the desktop and 4 server environments [Set vlans vlan-xx vlan-id xx l3-interface vlan.xx]

    - Create RVI's for the desktop vlan and the 4 server vlans [set interfaces vlan unit xx family inet address x.x.x.x/x]

    - Create Router Instances for each of the VLANs [Set routing-instances xx instance-type virtual-router]

    - Add the RVI to the routing-instances [Set routing-instances xx interface vlan.xx] Each VLAN assigned to their own RI.

    - Assign physical interfaces to the VLANs [Set interfaces ge-0/0/x unit 0 family ethernet switching port-mode access|trunk members vlanxx] Access port for Desktop and Trunk for the connection to the server environment top of rack switch.

    - Set Static Routes within each of RI to the desktop vlan gateway IP and from desktop vlan to all the other vlan IP's.

     

    I cannot ping the RVI IP addresses from CLI and unable to ping Desktop VLAN gateway while connected to the physical port (Access Port).

     

    Please any pointers on the right way to achieve my goal would be very much appreciated.

     

    Thanks,

    Ragna



  • 2.  RE: SRX Inter-VLAN Routing

     
    Posted 05-02-2018 03:21

    I don't think you want routing instances.  These are used to separate routing tables.  So when you put each subnet into their own routing instance you made it so they cannot reach each other.

     

    Also not that the SRX is a firewall.  So you will need to assign these interfaces to zone(s) and write security policy to permit traffic between them as well.

     



  • 3.  RE: SRX Inter-VLAN Routing

    Posted 05-03-2018 01:10

    Hello Mr Puluka,

     

    Thanks for the response, very much appreciated (like ice cold water to a dehydrated man in the desert!). I came to the same realization that I didnt need Routing Instances, as I had 5 subnets with their own VLANs and and I wanted VLAN 1 <--communicate with--> VLAN2,VLAN3,VLAN4,VLAN5 but, not have the VLAN2,3,4,5 communicate with themselves. Going down the RI approach meant I would need an Interface for VLAN 1 in each of the RI set up for each of the other VLANs, I could not get the same interface in Multiple RIs and could not have multiple interfaces in VLAN 1 using the same IP address hence.

     

    I have now used just Routing Virtual Interfaces for each VLAN, set up Zones for each VLAN, with specific Security policies with corresponding host-inbound-traffic rules. This works perfectly! just as you have suggested so I will be awarding you this post! I do have one small question though....please.

     

    I have set up this architecture, as referenced below, but cannot seem to ping from Laptop to Brocade switch VLAN interfaces or the servers connected to the Brocade, but from the Juniper I can ping the Brocade switch VLAN interfaces, and can also ping the Laptop, my config is enclosed below, not sure what I am mmissing to be able to achieve this.

     

    version 12.1X45.5;
    system {
        root-authentication {
            encrypted-password "encrypted-password"; ## SECRET-DATA
        }
        name-server {
            8.8.8.8;
            8.8.8.8;
        }
        services {
            ssh;
            telnet;
            xnm-clear-text;
            web-management {
                http {
                    interface vlan.0;
                }
                https {
                    system-generated-certificate;
                    interface vlan.0;
                }
            }
            dhcp {
                router {
                    192.168.1.1;
                }
                pool 192.168.1.0/24 {
                    address-range low 192.168.1.2 high 192.168.1.254;
                }
                propagate-settings ge-0/0/0.0;
            }
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any critical;
                authorization info;
            }
            file interactive-commands {
                interactive-commands error;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0;
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    port-mode access;
                    vlan {
                        members LAPTOPS;
                    }
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    port-mode trunk;
                    vlan {
                        members [ vlan-trust AREA0 ];
                    }
                }
            }
        }
        ge-0/0/3 {
            unit 0 {
                family ethernet-switching {
                    port-mode trunk;
                    vlan {
                        members [ vlan-trust AREA1 ];
                    }
                }
            }
        }
        ge-0/0/4 {
            unit 0 {
                family ethernet-switching {
                    port-mode trunk;
                    vlan {
                        members [ vlan-trust AREA2 ];
                    }
                }
            }
        }
        ge-0/0/5 {
            unit 0 {
                family ethernet-switching {
                    port-mode trunk;
                    vlan {
                        members [ vlan-trust AREA3 ];
                    }
                }
            }
        }
        ge-0/0/6 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/7 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/8 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/9 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/10 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/11 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/12 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/13 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/14 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/15 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        vlan {
            unit 0 {
                family inet {
                    address 192.168.1.1/24;
                }
            }
            unit 32 {
                family inet {
                    address 192.168.32.1/24;
                }
            }
            unit 33 {
                family inet {
                    address 192.168.33.1/24;
                }
            }
            unit 34 {
                family inet {
                    address 192.168.34.1/24;
                }
            }
            unit 35 {
                family inet {
                    address 192.168.35.1/24;
                }
            }
            unit 36 {
                family inet {
                    address 192.168.36.1/24;
                }
            }
        }
    }
    routing-options {
        static {
            route 192.168.33.0/24 next-hop 192.168.33.2;
            route 192.168.208.0/24 next-hop 192.168.33.2;
        }
    }
    protocols {
        stp;
    }
    security {
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone Area to-zone Area {
                policy Area-to-Area {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    vlan.0;
                }
            }
            security-zone untrust {
                screen untrust-screen;
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                dhcp;
                                tftp;
                            }
                        }
                    }
                }
            }
            security-zone Area {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                }
                interfaces {
                    vlan.32;
                    vlan.33;
                    vlan.34;
                    vlan.35;
                    vlan.36;
                    ge-0/0/1.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                            }
                        }
                    }
                    ge-0/0/2.0;
                    ge-0/0/3.0;
                    ge-0/0/4.0;
                    ge-0/0/5.0;
                }
            }
        }
    }
    vlans {
        AREA0 {
            vlan-id 33;
            l3-interface vlan.33;
        }
        AREA1 {
            vlan-id 34;
            l3-interface vlan.34;
        }
        AREA2 {
            vlan-id 35;
            l3-interface vlan.35;
        }
        AREA3 {
            vlan-id 36;
            l3-interface vlan.36;
        }
        LAPTOPS {
            vlan-id 32;
            l3-interface vlan.32;
        }
        vlan-trust {
            vlan-id 3;
            l3-interface vlan.0;
        }
    }

    Laptop <-- access port --> Juniper SRX 240 <-- trunk port --> Cisco Layer 2 <-- trunk port --> Brocade Switch <-- access port --> Servers



  • 4.  RE: SRX Inter-VLAN Routing

     
    Posted 05-03-2018 02:53

    From the configuration I assume the laptop is connected to zone trust.  There is a policy that allows the zone area devices to communicate with each other but there is no policy between zones trust and area.

     

    You will need to add  unders security policy the allow rule in the direction that you want traffic to be initiated.

    So if the trust zone can reach the area zone the policy is from-zone trust to-zone area.

    If area devices are allowed to intiate connections then the opposite is also needed.

     

    If you want to restrict in either direction you would create address objects for the subnets or hosts allowed and use those in the rule instead of the "any" object.

     

    https://www.juniper.net/documentation/en_US/junos/topics/example/policy-selective-traffic-allowing.html

     



  • 5.  RE: SRX Inter-VLAN Routing

    Posted 05-03-2018 05:15

    The laptop is actually in the same Zone as the others "Area", and is connected to an access port configured on ge-0/0/1 unit 0, where ge-0/0/1 has been configured as a member of VLAN LAPTOPS vlan-id 32, with vlan.32 being a member of Zone "Area" as well.

     

     

    ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    port-mode access;
                    vlan {
                        members LAPTOPS;

    All the interfaces for the VLANs are in the the same security Zone "Area"

            security-zone Area {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                }
                interfaces {
                    vlan.32;
                    vlan.33;
                    vlan.34;
                    vlan.35;
                    vlan.36;
                    ge-0/0/1.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                            }
                        }
                    }
                    ge-0/0/2.0;
                    ge-0/0/3.0;
                    ge-0/0/4.0;
                    ge-0/0/5.0;
                }
            }
        }
    }

     

    I have read somewhere I might need to configure a NAT rule for traffic coming from the laptop intended for the servers, but cannot confirm this.



  • 6.  RE: SRX Inter-VLAN Routing
    Best Answer

     
    Posted 05-04-2018 02:39

    You do not need NAT to communication between subnets attached to the SRX.

     

    Can you confirm that the servers and brocade switch have a gateway or default route configured to the ip address assigned in their subnet on the SRX.  Without this you could not communication beyond the SRX itself.

     



  • 7.  RE: SRX Inter-VLAN Routing

    Posted 05-04-2018 05:04

    Thanks! That was the problem, the Brocade side did not have a route back, added this and the problem went away!!

     

    Thanking you immensely Mr Puluka, awesome help.



  • 8.  RE: SRX Inter-VLAN Routing

     
    Posted 05-04-2018 14:05

    Welcome to Junos, glad you have it up and running.