Routing

 View Only
last person joined: 4 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.

  • 1.  routing between vlans (Reth1 and vlan-tagging)

    Posted 01-24-2020 01:12

    Hello, image.png

     

    I would like to know if i need to use routing protocols (static/dynamic) to route between vlans or is it enough using security policy to forward traffic between the vlans without routing protocols?.

     

    Config

    SRX:

    Interfaces

    reth1 {
    description towards-ex3400;
    vlan-tagging;
    redundant-ether-options {
    redundancy-group 1;
    lacp {
    active;
    periodic slow;
    }
    }
    unit 20 {
    description "application";
    vlan-id 20;
    family inet {
    address 172.22.168.1/24;
    }
    }
    unit 30 {
    description "Test";
    vlan-id 30;
    family inet {
    address 172.22.165.1/24;
    }
    }

    ================================

    policys

    from-zone application to-zone test {
    policy Application-traffic-to-Test {
    match {
    source-address NET-APPLICATION;
    destination-address NET-TEST;
    application any;
    }
    then {
    permit;
    }
    }

    from-zone test to-zone application {
    policy Test-traffic-to-Application {
    match {
    source-address NET-TEST;
    destination-address NET-APPLICATION;
    application any;
    }
    then {
    permit;
    }
    }

    ==============================

    zones

    security-zone application {
    interfaces {
    reth1.20 {
    host-inbound-traffic {
    system-services {
    all;
    }
    }
    }
    }
    }
    security-zone test {
    interfaces {
    reth1.30 {
    host-inbound-traffic {
    system-services {
    all;
    }
    }
    }
    }

    ==================

    Route

    admin@fw01> show route
    172.22.165.0/24 *[Direct/0] 15w3d 05:34:43
    > via reth1.30
    172.22.165.1/32 *[Local/0] 15w3d 05:34:43
    Local via reth1.30
    172.22.168.0/24 *[Direct/0] 15w3d 05:34:43
    > via reth1.20
    172.22.168.1/32 *[Local/0] 15w3d 05:34:43
    Local via reth1.20

    ==============================================

    EX3400

    vlans {
    v20 {
    description APPLICATION;
    vlan-id 20;
    }
    v30 {
    description TEST;
    vlan-id 30;
    }

    ============================

    interfaces {
    ge-0/0/0 {
    description "fw01";
    gigether-options {
    802.3ad ae1;

    }

    }

    }

    ge-1/0/0 {
    description "fw02";
    gigether-options {
    802.3ad ae2;

    }

    }

    }

    ge-0/0/5 {
    description application;
    unit 0 {
    family ethernet-switching {
    interface-mode access;
    vlan {
    members 20;
    }
    }
    }
    }

    ge-1/0/5 {
    description test;
    unit 0 {
    family ethernet-switching {
    interface-mode access;
    vlan {
    members 30;
    }
    }
    }
    }

    ae1 {
    description fw01;
    aggregated-ether-options {
    lacp {
    active;
    periodic slow;
    }
    }
    unit 0 {
    family ethernet-switching {
    interface-mode trunk;
    vlan {
    members [ 20 30];
    }
    }
    }
    }
    ae2 {
    description fw02;
    aggregated-ether-options {
    lacp {
    active;
    }
    }
    unit 0 {
    family ethernet-switching {
    interface-mode trunk;
    vlan {
    members [ 20 30 ];
    }
    }
    }
    }

    ==========================================

    routing

    default-route 0/0 towards firewall.

     

    thanks guys.



  • 2.  RE: routing between vlans (Reth1 and vlan-tagging)
    Best Answer

    Posted 01-24-2020 01:19

    There is no need to use routing protocols as your SRX will per default route towards connected subnets.. and both reth1.20 and reth1.30 are directly connected to your device.

     

    Your security policies and zones also looks right.



  • 3.  RE: routing between vlans (Reth1 and vlan-tagging)

    Posted 01-24-2020 02:19

    Hello Jonas,

     

    Thanks for the info and i have it working right now.