Hello,
I do have another question regarding reth trunking towards the switches. I have patched application server on the switch on vlan 50 and trunked this vlan towards firewall, and in the firewall i have tagged the vlan on reth1. Also i have add a security zone for this application server, but know i can not ping from the switch/firewall towards the application server. What do i miss in this configuration. I think a security policy for the apllicatio server?.
server > switch >firewall01/02>internet
SRX config:
reth0 {
description "switch - internet";
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
lacp {
active;
periodic slow;
}
}
unit 200 {
description "public ip-range";
vlan-id 200;
family inet {
address 6.100.10.71/29 {
primary;
preferred;
}
}
}
}
reth1 {
description switch;
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
lacp {
active;
periodic slow;
}
}
unit 50 {
description "Application server";
vlan-id 50;
family inet {
address 192.168.5.1/24;
trunk towards switch:
interfaces {
ge-0/0/2 {
description "switch ge-0/0/0";
gigether-options {
redundant-parent reth1;
}
}
ge-0/0/3 {
description "switch ge-1/0/0";
gigether-options {
redundant-parent reth1;
}
}
ge-0/0/4 {
description "switch ge-0/0/46 - internet";
gigether-options {
redundant-parent reth0;
}
}
ge-5/0/2 {
description "switch ge-2/0/0";
gigether-options {
redundant-parent reth1;
}
}
ge-5/0/3 {
description "switch ge-3/0/0";
gigether-options {
redundant-parent reth1;
}
}
ge-5/0/4 {
description "switch ge-2/0/46 - internet";
gigether-options {
redundant-parent reth0;
Security Zone/policy:
security {
policies {
from-zone untrust to-zone trust {
policy allow-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
zones {
security-zone application {
interfaces {
reth1.50 {
host-inbound-traffic {
system-services {
all;
}
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
reth0.200;
}
}
}
}
security-zone untrust {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/7.2504; (isp)
ge-5/0/7.3504; (ISP)
}
Switch01:
ge-0/0/6 {
description "Application server";
unit 0 {
family ethernet-switching {
vlan {
members 50;
}
}
}
}
ae0 {
description "fw - internet";
aggregated-ether-options {
lacp {
active;
periodic slow;
}
}
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members 200;
}
}
}
}
ae1 {
description fw01;
aggregated-ether-options {
lacp {
active;
periodic slow;
}
}
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members 50;
}
}
}
}
ae2 {
description fw02;
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members 50;
}
}
}
vlans {
v50 {
description Application;
vlan-id 50;
v200 {
description Internet;
vlan-id 200;
thank u in advance.