Hello,
I'm fairly new to Juniper, so if this is obvious.
I have two SRX320 setup in a cluster, and two QFX3500 setup in a VPC.
There is a single reth on the SRX cluster, with multiple VLANs associated.
On the QFX VPC I have setup IRB interfaces for each VLAN.
Traffic will flow appropriately across the VLAN, but not between VLANs.
On the QFX VPC, all VLANs excluding one are in a routing instance. On the SRX cluster, all VLANs excluding one are in the same routing instance.
The idea is that my `trusted` VLANs should be able to route freely between each other, but my `untrusted` VLAN has to route via my SRX cluster before it can route to another VLAN.
Please find a logical topology attached. Its fairly rough.
And paste bin links for my switch (qfx - Pastebin.com ) and firewall (SRX paste - Pastebin.com ) configurations.
Hosts attached to the switch are able to get DHCP leases fine, and can ping both the QFX IRB interface and the SRX reth interface for their specific VLAN/subnets, but can't ping anything outside their subnet/VLAN.
------------------------------
ALEXANDER HUSSEY
------------------------------