Junos OS

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about Junos OS.
  • 1.  Juniper SRX300 doesnt route from L2 to L3 zone

    Posted 08-09-2024 14:34

    Hello,

    I have Juniper SRX300. One interface is WAN L3 interface with IP address  in untrusted zone. 2 interface is for 2 pc in vlan10 and have irb interface as gateway. That 2 interface is in trust zone.When i want to create security policy from trust to untrust zone i got this error: From zone and to zone must be L2 or L3 zones. I just want that my 2 pc is connected on srx firewall, be in same vlan and can cross via wan l3 interface to the outside.

    Can you give me some advices.

    Thank you



    ------------------------------
    Mirza Dzafic
    ------------------------------


  • 2.  RE: Juniper SRX300 doesnt route from L2 to L3 zone

    Posted 08-09-2024 19:17

    You should create the irb interface zone as a layer 3 zone.  These are interfaces are allowed as layer 3 zone members.  There is no need for L2 zone in this configuration.

    Typically the L2 zones are used when the SRX needs to be inserted into a line between a device at layer 2 on both sides.  This allows the use of a firewall without any ip address changes and you literally disconnect the line from a device and insert the SRX between the protected device and its normal patch/router port.  No physical or ip changes needed. 



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Juniper SRX300 doesnt route from L2 to L3 zone

    Posted 30 days ago

    Hello,

    Thank you for your answer. But i need that this 2 pc connected on port ge0/0/3 and ge0/0/4 be in same subnet for example 10.10.10.0/24. Below you can find configuration. What i need to change?

    set interfaces ge-0/0/3 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members 10
    set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members 10
    set interfaces irb unit 10 family inet address 10.10.10.1/24
    set security zones security-zone L2 interfaces ge-0/0/3.0
    set security zones security-zone L2 interfaces ge-0/0/4.0
    set vlans vlan-10 vlan-id 10 
    set vlans vlan-10 l3-interface irb.10
    set security zones security-zone L2 host-inbound-traffic system-services any-service
    set security zones security-zone L2 host-inbound-traffic protocols all

    Thank you



    ------------------------------
    Mirza Dzafic
    ------------------------------



  • 4.  RE: Juniper SRX300 doesnt route from L2 to L3 zone

    Posted 30 days ago
    Edited by spuluka 30 days ago

    Simply remove all the L2 zone commands.  They are not needed.

    Only the L3 interface needs to be added to the zone.  No zone configuration at all is needed on the access ports.

    delete security zones security-zone L2 interfaces ge-0/0/3.0
    delete security zones security-zone L2 interfaces ge-0/0/4.0
    delete security zones security-zone L2 host-inbound-traffic system-services any-service
    delete security zones security-zone L2 host-inbound-traffic protocols all

    Place the irb.10 into a L3 zone.

    Then create policies L3 to L3 from there.


    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: Juniper SRX300 doesnt route from L2 to L3 zone

    Posted 29 days ago

    Hello,

    Thank you for your help. I remove like you said that command. Now i have this configuration:

    set interfaces ge-0/0/3 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members 10
    set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members 10
    set interfaces irb unit 10 family inet address 192.168.97.121/29
    set vlans vlan-10 vlan-id 10
    set vlans vlan-10 l3-interface irb.10

    But when i try to add irb.10 to the security zone i get this error:

     'interfaces irb.10'
        Interface irb is not allowed in mix mode
    error: configuration check-out failed

    Can you help, thank you.



    ------------------------------
    Mirza Dzafic
    ------------------------------



  • 6.  RE: Juniper SRX300 doesnt route from L2 to L3 zone

    Posted 27 days ago

    Seems like you would need to remove mixed mode and go back to standard L3 mode operations.  

    You don't seem to need L2 mode for firewall services anyway.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 7.  RE: Juniper SRX300 doesnt route from L2 to L3 zone

    Posted 27 days ago

    Hello,

    I change the mode of firewall to the switching mode and with the configuration above everything work perfect. Thank you.

    Best regards,



    ------------------------------
    Mirza Dzafic
    ------------------------------