SRX

 View Only
last person joined: 22 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Help with MIX mode configuration (IRB?)

    Posted 10-21-2022 06:35
    Hi everyone!

    I have a problem with a configuration I need to acheive and I wonder if anyone can help me.

    UNTRUST: 1 interface with 2 IPs
    FW: I have 1 SRX 340
    TRUST: 2 devices in trust connected to ge1 and ge2 respectively (same VLAN)

    Traffic comming from outside is NATed (NAT)

    * See diagram



    I have tryied with mix mode, setting up ge1 and ge2 as ethernet-switching access mode VLAN XX
    and then family inet for the external interface (ge0) vlan-tagged and assign two addresses.

    Until here everything ok but the problem comes when I need too create nat or policies and zones because SRX says that can't assign interfaces or policies in different levels (l2, l3).

    What would be your recommendation for this configuration?.

    My configs that won't work:

    interfaces {
        ge-0/0/0 {
            vlan-tagging;
            unit 0 {
                vlan-id 200;
                family inet {
                    address 20.20.20.10/24;
                }
            }
            unit 1 {
                vlan-id 300;
                family inet {
                    address 20.20.21.10/24;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    interface-mode access;
                    vlan {
                        members VLAN_100;
                    }
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    interface-mode access;
                    vlan {
                        members VLAN_100;
                    }
                }
            }
        }
        irb {
            unit 100 {
                family inet {
                    address 10.10.10.1/24;
                }
            }
        }
    }
    vlans {
        VLAN_100 {
            vlan-id 100;
            l3-interface irb.100;
        }
    }
    
    
    -------------------------------------------
    
    
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family ethernet-switching {
                    interface-mode trunk;
                    vlan {
                        members [ VLAN_200 VLAN_300 ];
                    }
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    interface-mode access;
                    vlan {
                        members VLAN_100;
                    }
                }
            }
        }
        ge-0/0/3 {
            unit 0 {
                family ethernet-switching {
                    interface-mode access;
                    vlan {
                        members VLAN_100;
                    }
                }
            }
        }
        irb {
            unit 100 {
                family inet {
                    address 10.10.10.1/24;
                }
            }
            unit 200 {
                family inet {
                    address 20.20.20.10/24;
                }
            }
            unit 300 {
                family inet {
                    address 20.20.21.10/24;
                }
            }
        }
    }
    vlans {
        VLAN_200 {
            vlan-id 200;
            l3-interface irb.200;
        }
        VLAN_100 {
            vlan-id 100;
            l3-interface irb.100;
        }
        VLAN_300 {
            vlan-id 3009;
            l3-interface irb.300;
        }
    }​


    Thank you very much
    Kind regards!


  • 2.  RE: Help with MIX mode configuration (IRB?)

    Posted 10-21-2022 15:31
    The physical configuration options look good.

    How are the security zones and nat/security policy setup?

    What exactly does "not work" mean?

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------