SRX

 View Only
last person joined: 16 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX 300 multiple ports on same security zone and route based VPN

    Posted 09-16-2022 11:18
    HI
    I have a couple sites that are very small, so don't warrant the SRX and a switch.  From what I've read/viewed on you tube, I should be able to do the following:
    * Modify the 2 ports to be on the same VLAN and designate them to use ethernet-switching. 
    * Configure a IRB(VLAN interface) for the above VLAN
    * and use the route based VPN using to connect the above ports to the HQ site. There is also the possibility of other subnets also needing to be routed to HQ.

    Usually our remote site is large enough to warrant the use of a switch and this is pretty easy. Unfortunately for me this is not the case and the space for the SRX is very small(NEMA cabinet) so there's not enough room for a switch.

    Where I'm running into an issue is at this point anyway is the following:
    * st0.0 is currently on security zone A
    * interfaces needed will be on VLAN 400 after a reboot to set the interfaces to ethernet-switching. At this point I get an error message that only unit 0 will be encapsulated.
    * the IRB would take what is currently the interface IP being used  and then added to the security zone A

    Do I need to create a st0.400 interface and add it to security zone A?  am I on the right track, does anyone have a sample config I can use?

    Thanks
    John


  • 2.  RE: SRX 300 multiple ports on same security zone and route based VPN

    Posted 09-16-2022 15:37
    If your two ports are untagged facing computers or other ip devices then ethernet switching with that port using unit 0 is normal.
    Then this port and unit number are added to the vlan

    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-400

    set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust

     

    The irb interface with ip address is then added to the vlan.

    set interfaces irb unit 400 family inet address 192.168.2.1/24


    set vlans vlan-400 vlan-id 400

    set vlans vlan-400 l3-interface irb.400

    Only the irb interface is added to the zone

    set security zones security-zone MyZone interfaces irb.400



    The vpn interface is NOT in this vlan but just used for the route based vpn configuration.

    https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-route-based-ipsec-vpns.html

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: SRX 300 multiple ports on same security zone and route based VPN

    Posted 09-16-2022 17:28
    Ok Thanks, I'm going to  lab it out on a SRX I have at home then take it to the site on Monday.