Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
I have a question:
VLAN 1 10/20VLAN 2 30
I have these 2 vlans: 1 and 2
Vlan 1 has two IDs: 10 and 20
I need VLAN1 devices to communicate inter-fw with VLAN2.
For this I wanted to use IRB interfaces:
set vlans VLAN1 vlan-id-list 10set vlans VLAN1 vlan-id-list 20set vlans VLAN1 l3-interface irb.1
The problem is that irb does not support vlan-id-list: l3-interface can be configured only under vlans with 'vlan-id' / 'vlan-tags'
I cannot use irb then..
So in this case how could communication between vlans be achieved when a vlan has more than one ID?
Thank you very much!Regards
If this is your requirement, why don't you create a Layer-3 interfaces with multiple sub-units and include a vlan-id to it? Are you facing any problems with this method?
set interfaces ge-0/0/1 unit 0 family inet address 192.168.100.1/24
set interfaces ge-0/0/1 unit 0 vlan-id 10
set interfaces ge-0/0/1 unit 1 family inet address 192.168.200.1/24
set interfaces ge-0/0/1 unit 1 vlan-id 20
set interfaces ge-0/0/1 vlan-tagging
Hi Noobmaster!Thank you so much!
I can indeed do what you mention, but then will there be inter-vlan traffic?
I understand that for there to be traffic between vlans within the fw does IRB have to exist?
Itsn't that right?
* To forward packets between VLANs, you normally need a router that connects the VLANs. However, you can accomplish this forwarding on a switch without using a router by configuring an integrated routing and bridging (IRB) interface.
NOTE: If you configure a Layer 3 interface to support IRB in a VLAN, you cannot use the all option for the vlan-id statement.https://www.juniper.net/documentation/en_US/junos/topics/topic-map/irb-and-bridging.html#id-configuring-integrated-routing-and-bridging-interfaces-on-switches-cli- procedure
Thank you very much!Regards!!
AFAIK, there are 2 ways to allow VLAN traffic in SRX.
Here I have suggested you step-2. Let's assume your VLAN10 and VLAN20 resides in TRUST zone while the VLAN30 resides in DMZ zone.
VLAN10 -> VLAN20 - Configure security policy with from-zone TRUST to-zone TRUST and this way communciation happens from VLAN10 and VLAN20.
VLAN10 or VLAN20 -> VLAN30 - Configure security policy with from-zone TRUST to-zone DMZ and this way communication happens from VLAN10/20 towards VLAN30.
Please try this method and let me know if you face any issues. Also, I will leave it to other community members to share their ideas.
Plus I only have 1 ip for the network:NETWORK VLAN-ID
VLAN_1 10/20VLAN_2 30
That's why I thought i could benefit from vlan-id-list...
It is a complicated challenge ..
If that's the case then I need to check further considering your design.
Thank you very much noobmaster,
Indeed, the problem is how to implement it in such a way that they share the same ip :-(.
Thank you very much once more
Actually, I never this kind of setup so, it's quite challenging for me😄
Are you connecting a single interface between the SRX and Switch acting as a Trunk?
Yes, the idea is to have a single interface link connected between them.
port 1 FW -> connected to port 1 SW -> carring NETWORK10 (vlan-id 10 & vlan-id 20, ip: 192.168.10.1/24)
port 2 FW -> connected to port 2 SW -> carring NETWORK30 (vlan-id 30, ip: 192.168.200.1/24)
I made some research regarding your requirement and unfortunately, you can't have 2 VLANs sharing the same network if you want to achieve Inter-VLAN routing. Also, I checked multiple articles/resources regarding accepting double frames on a single interface in SRX and thought of using flexible-vlan-tagging using vlan-id-range but someone mentioned that it is not working for him.
Since you would like to achieve a single connectivity between SRX and Switch, I would recommend to use separate networks for VLAN 10 and VLAN 20.
VLAN 10 - ge-0/0/0.0: 192.168.10.1/24
VLAN 20 - ge-0/0/0.1: 192.168.20.1/24
We can also create irb.10 and irb.20 which you would like to perform initially.
This way we can have better control over the network in terms of scalability. Please let me know if you are facing any challenges with this setup so that we can work on it.
Good afternoon noobmaster,
Thank you very much for your help again and for the research work you have done.
I'm going to go over everything again and try to do it through the irb interfaces (I've tried so many things that I'm a bit confused right now :-))
I will write to you again to tell you how it went or if I still have problems.
Thank you very muchRegards
I understand Chaimae 😄 Take your time.
Below is the configuration which might need for your SRX.
Assuming the above VLANs in your network, I have mentioned the below configuration.
set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members [ 10 20 ]
set interface irb unit 10 family inet address 192.168.10.1/24
set vlans vlan10 vlan-id 10
set vlans vlan10 l3-interface irb.10
set interface irb unit 20 family inet address 192.168.20.1/24
set vlans vlan20 vlan-id 20
set vlans vlan20 l3-interface irb.20
set security zones security-zone VLAN10 interfaces irb.10 host-inbound-traffic system-services all
set security zones security-zone VLAN10 interfaces irb.10 host-inbound-traffic protocols all
set security zones security-zone VLAN20 interfaces irb.20 host-inbound-traffic system-services all
set security zones security-zone VLAN20 interfaces irb.20 host-inbound-traffic protocols all
set security policies from-zone VLAN10 to-zone VLAN20 policy 10-to-20 match source-address any
set security policies from-zone VLAN10 to-zone VLAN20 policy 10-to-20 match destination-address any
set security policies from-zone VLAN10 to-zone VLAN20 policy 10-to-20 match application any
set security policies from-zone VLAN10 to-zone VLAN20 policy 10-to-20 then permit
set security policies from-zone VLAN20 to-zone VLAN10 policy 20-to-10 match source-address any
set security policies from-zone VLAN20 to-zone VLAN10 policy 20-to-10 match destination-address any
set security policies from-zone VLAN20 to-zone VLAN10 policy 20-to-10 match application any
set security policies from-zone VLAN20 to-zone VLAN10 policy 20-to-10 then permit
Please feel free to reach out to me if you have any issues.
Thank you very much for your help.
I couldn't get it to work that way but we have finally changed the requirements to separate in the vlan-id by assigning them different IPs and so it worked with your example setup.
Thank you very much again for your help.
I have another question related to these interfaces:
untrust interface trunk SRXtrust interfaces irb
I need the external traffic to pass to the internal vlans of the irb interfaces transparently L2 (as if the srx did not exist) but the that the traffic from the trust side to untrust would exit through L3.
Would it be possible to do this by configuring FBR based on source ?.
Would communication between the irb interfaces affect the creation of the routing instance ?.
What do you think?
Glad it all worked out!!!
For your query regarding transparent mode, please open a new thread so that we can discuss it over there. Because this thread might help other community members in case if they face a similar issue like yours and discussing a new query will be quite confusing for others.
Have a Nice Day 😀
Sure! thanks!Best regards!