SRX

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series.
  • 1.  SRX as a switch with layer 3 interfaces

    Posted 08-04-2022 09:00
    Hello,

    I want layer 2 traffic tagged with a 802.1q tag 100 to pass through the SRX transparently towards the device that has its layer 3 gateway IP address configured, is this possible? I am aware I can create an IRB interface and put ports into vlans, however the gateway is not built on the SRX so I do not want to use an IRB interface. Diagram below shows what I am trying to acheieve, vlan 100 is configured on the switch and SRX, then the router WAN-1 has a layer 3 sub interface with vlan 100 encapsulation where the gateway is built.

    MAC addresses are showing on port 8, but nothing on port 5, when I intiate a ping from the VPC "VLAN".



    SRX Config:
    set version 21.1R3.11
    set groups node0 system host-name SRX0_N0
    set groups node0 system services ssh max-sessions-per-connection 64
    set groups node0 system syslog file default-log-messages any info
    set groups node0 system syslog file default-log-messages structured-data
    set groups node1 system host-name SRX0_N1
    set groups node1 system services ssh max-sessions-per-connection 64
    set groups node1 system syslog file default-log-messages any info
    set groups node1 system syslog file default-log-messages structured-data
    set apply-groups "${node}"
    set system root-authentication encrypted-password "$6$iVIc6YFM$dMZhQh4dwPhHfRfOSfuQrWd/xrKlBmGaMMSZW.X7HE1i3D9geUpjgOnBms4dQjnD9Vyc2NeVirjk1QxMxd4kZ0"
    set security policies default-policy permit-all
    set security zones security-zone INTERNET interfaces ge-0/0/3.0 host-inbound-traffic system-services all
    set security zones security-zone LAN interfaces ge-0/0/7.0 host-inbound-traffic system-services all
    set security zones security-zone LAN interfaces ge-0/0/4.0 host-inbound-traffic system-services all
    set interfaces ge-0/0/3 unit 0 family inet address 192.168.1.1/30
    set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode trunk
    set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-100
    set interfaces ge-0/0/7 unit 0 family ethernet-switching interface-mode trunk
    set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members vlan-100
    set vlans vlan-100 vlan-id 100​





  • 2.  RE: SRX as a switch with layer 3 interfaces

    Posted 08-11-2022 17:02

    If you aren't wanting to use any of the firewall features, have you changed to packet mode?  This removes all need of zones and security policies.  Highly HIGHLY recommend you add a RE-Protect filter though.  

    set security forwarding-options family inet6 mode packet-based
    set security forwarding-options family mpls mode packet-based
    set security forwarding-options family iso mode packet-based



  • 3.  RE: SRX as a switch with layer 3 interfaces

    Posted 08-15-2022 21:34
    I want to use the firewall features and also run a mix of layer 2/3 ports.

    Current config is in a lab to just test the possibility of port 8 and 5 on the SRX forwarding frames on the same vlan.