SRX

 View Only
last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  assign 1 ip address to 2 interface

    Posted 08-05-2024 08:47

    I have to route outside to inside with nexthop is ge1/0/1 and ge1/0/2, but in the same time only one asa5508 is active while I cannot assign 1 ip address to 2 interface ge1/0/1 and ge1/0/2 so if failover happen my route will fail. Is there any solution?

    Thank you!



    ------------------------------
    Nguyen Anh
    ------------------------------



  • 2.  RE: assign 1 ip address to 2 interface

    Posted 08-05-2024 10:54

    On the SRX550 you would assign both interfaces to the same vlan and create a layer 3 vlan interface for that group.

    under vlan assign both  ge1/0/1.0 and ge1/0/2.0

    The create vlan.# with the desired ip address and add this interface as the layer 3 interface for the vlan

    set vlans v200 interface ge-1/0/1.0

    set vlans v200 interface ge-1/0/2.0

    set vlans v200 l3-interface vlan.#

    You would also add the vlan.# interface to the desired zone for any security policies.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: assign 1 ip address to 2 interface

    Posted 08-05-2024 11:22

     Right - What Steve said.

    And if you're a little lost with the SRX, 
      Create a new irb.? interface (like irb.100 or something - see in the config file which ones are in use)
     Assign the IP address/netmask to the irb interface you just created.

    Now that irb interface is assigned to a new VLAN declaration.

    From there - you can assign the VLAN to the 2 ethernet interfaces. Basically they are now a 2 port switch.
     if you want them to act like trunk ports, set up both ports to be trunk ports.
     if you want them to act like access ports, just assign the 1 VLAN.
     if you want them to work together to aggregate bandwidth, you actually need to create a 'ae' (aggregate ethernet) interface -- and then you can assign both interfaces to that AE.? interface -- which then also gets assigned the desired VLANs.

    It's fun. Bring caffeine. :)



    ------------------------------
    Ben Kamen
    ------------------------------



  • 4.  RE: assign 1 ip address to 2 interface

    Posted 08-05-2024 12:37

    Thank for your reply , Sir

    I set up like your advice but stil not work, I cant ping from srx550 to ge1/3 asa5508. Is there anything I missing? Here my setting

    vlans {

    abc {

    vlan-id 1;

    l3-interface irb.1;

    }

    ge-1/0/1 {

    gigether-options {

    auto-negotiation;

    }

    unit 0 {

    family ethernet-switching {

    interface-mode access;

    vlan {

    members abc;

    }

    ge-1/0/2 {

    gigether-options {

    auto-negotiation;

    }

    unit 0 {

    family ethernet-switching {

    interface-mode access;

    vlan {

    members abc;

    }

    irb {

    unit 1 {

    family inet {

    address 192.168.1.2/24;



    ------------------------------
    Nguyen Anh
    ------------------------------



  • 5.  RE: assign 1 ip address to 2 interface

    Posted 08-07-2024 15:37

    Confirm which operational mode your SRX is running

    show security flow status

    If this is standard flow based mode then you will also need to configure the new layer 3 interface into the desired security zone.

    set security zones security-zone NAME interfaces irb.1

    In that zone confirm that ping is permitted, either by explict or using the system services all

    set security zones security-zone NAME host-inbound-traffic system-services ping

    For traffic to flow a security policy would also need to be in place for the traffic passing through the SRX to/from the ASA as well.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------