Hello Arix,
1. Yes. SRX is working in flow mode for IPv4. Other IP protocols (like IPv6 & MPLS) are set to drop the traffic.
2. As "kronicklez" suggested SRX does Not require any license for routing protocol including BGP,OSPF,RIP,IS-IS etc.
3. As per the topology, your configuration should look something like this :
On Juniper F/W :
================
- Assuming only one physical interface (e.g. ge-0/0/1) is conencted to the L2 switch. This would mean that you have different units on same inteface for each vlan.
Vlan100|200|300|50| ----------->non-Juniper switch(L2 device)-------1xTrunk Port---------->JuniperF/w(L3 device)--------ebgp------>ISP---------->DataCenter
set interfaces ge-0/0/1 unit 100 vlan-id 100
set interfaces ge-0/0/1 unit 100 family inet address 192.168.64/28
set interfaces ge-0/0/1 unit 200 vlan-id 200
set interfaces ge-0/0/1 unit 200 family inet address 192.168.80/28
set interfaces ge-0/0/1 unit 300 vlan-id 300
set interfaces ge-0/0/1 unit 300 family inet address 192.168.96/28
set interfaces ge-0/0/1 unit 50 vlan-id 50
set interfaces ge-0/0/1 unit 50 family inet address 10.10.50.0/24
We can put the ge-0/0/1.100 in a separate security zone (lets call it Zone_V100) and put all the other units of ge-0/0/1 interface in zone LAN.
By default, SRX drops all traffic which does NOT match any configured policy. [ Note: default security policy is a drop policy]
Since you want no communication between Zone_V100 and LAN, I would suggest you to NOT write any policy between these 2 zones.
In order to allow the communication between Zone_V100 and datacenter, you will have to write a policy between the zones where the relevant interfaces reside.
An example of security policy configuration can be found at :
You can find configuration examples of different sections of Junos at the following link:
4. There is no license requirement for MPLS feature on SRX either. If you are NOT terminating the MPLS circuit on SRX, then mostly the solution does NOT change except a few NAT related changes. If the MPLS is terminating on SRX then you might have to see into a complicated solution like selective packet mode if you are still planning to use SRX for firewall purposes.
I will leave those to your Network Architect as mostly it is a design related question & would need detailed understanding of your entire architecture.
Hope this helps!
Thanks!
Original Message:
Sent: 08-13-2023 05:29
From: Arix
Subject: Branch level SRX function
Hi TheDisciple,
Thanks for the reply.
1-) When I saw your reply, I re-double checked and yes it had been in not packet mode....My mistake...Sorry about that.....I think you are right about what you pointed in your post....... am I right? Here the output...
> show security flow status Flow forwarding mode: Inet forwarding mode: flow based Inet6 forwarding mode: drop MPLS forwarding mode: drop ISO forwarding mode: drop Tap mode: disabled (default) Enhanced route scaling mode: Disabled Flow trace status Flow tracing status: off Flow session distribution Distribution mode: RR-based GTP-U distribution: Disabled SCTP distribution: Enabled Flow ipsec performance acceleration: off Flow gre performance acceleration: off Flow packet ordering Ordering mode: Hardware Flow power mode: Disabled Flow power mode IPsec: Disabled Flow power mode IPsec QAT: Disabled Fat core group status: off Flow inline fpga crypto: Disabled
2-) It doesn't say any thing about eBGP license in the following? but the BGP up and running on the box. And also how about ospf?
> show system license License usage: Licenses Licenses Licenses Expiry Feature name used installed needed remote-access-ipsec-vpn-client 0 2 0 permanent remote-access-juniper-std 0 2 0 permanentLicenses installed: none
3-)
Physical and logical topology:
All L3 logical interfaces for the vlans sit on Juniper device. Non-Juniper switch is a L2
Vlan100|200|300|50| ----------->non-Juniper switch(L2 device)-------1xTrunk Port---------->JuniperF/w(L3 device)--------ebgp------>ISP---------->DataCenter
The vlan100 has about 20 clients. And we want to make sure that those 20 clients in Vlan100 can communicate each other in local and communicate the a few servers in datacenter but definitely not communicate with other vlans (200|300|50) locally and remotely with other location's clients... we want to restrictly isolate the vlan100 .
----If the security policy is a solution, what the security policy configuration it is needed in line with your suggestion? Any proposal conf?
----A part from the security policy, what another solution can be? Any idea?
4-) In future when concerning to have own mpls, what limitation would be coming up with currently srx320 is up and runnning in flow mode and additionally does mpls feature require any license?
Thx,
A.
Original Message:
Sent: 08-12-2023 03:48
From: TheDisciple
Subject: Branch level SRX function
Hello Arix,
- Can you share the entire output of "show security flow status" because it should not show "packet-mode" and have sessions at the same time? Note that the SRX will act as packet-mode based on family (IPv4 or IPv6 etc.) As far as configuration is concerned, I would expect the line "set security forwarding-options family mpls mode packet-based" to be present for it to be acting as packet mode for IPv4 traffic.
- On SRX devices, you do NOT need any licenses for running BGP (either External or Internal). Having said that , you can use the following command to check all licenses on a SRX device : "show system license " .
- If the requirement is to only allow selective traffic across vlan100 to other vlans, I would suggest you to keep the L3 interface with vlan 100 in a separate zone than others and then configure the security policies to only permit the communication with specific servers only.
Hope this helps!
Original Message:
Sent: 08-11-2023 11:42
From: Arix
Subject: Branch level SRX function
All all,
When typing show security flow status, output says that SRX320 (branch level) is in packet mode. I checked the current configuration and there is no any "delete security" statement. Secondly when typing sh security flow session, there is a high number of active sessions/flow occurs. If the SRX is in packet mode, why there is a flow sessions?
Second question is how to check current license on srx320 to make sure it is covered dynamic routing eBGP whilst the ebgp up and running without issus.
Another question is clients and IPphone are directly connected to Cisco switch and the switch directly connected via trunk port to srx320. All L3 vlans sit on srx320. On the LAN. the following there are.
-Vlan100 -192.168.64/28
-Vlan200 -192.168.80/28
-Vlan300 -192.168.96/28
-Vlan50 -10.10.50.0/24
We want to make Vlan100 restrict. No any IP from other subnets should communicate with any client(s) from the Vlan100, so Vlan100 has to be isolated. only they can communicate with specific servers at the data center. how to achieve this case on the Srx320?
Thanks
A.