SRX Services Gateway
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
shotput87
Contributor
shotput87
Posts: 21
Registered: ‎02-21-2010
0

Can the SRX 240 just route packets between interfaces?

Options

‎03-22-2011 03:01 PM

I have a SSG240H connected over a wan to a SSG140. Not a VPN, it is layer 2. Everything works fine. I was wondering if the SRX (and SSG) can be set to just route for certain interfaces. No need to keep session info. I have eth0/4 in the same trusted zone as the vlan switching ports. vlan is 192.168.168.0/24 and eth0/4 is 192.168.34.0/24. I have a policy to allow any to any for any interfaces in the trusted zone.

 

I just want to route traffic. I am afraid that each session setup and tear down is what is causing delays in my application.

 

Any help would be appreciated.

Message 1 of 4 (835 Views)
 
Reply
Recognized Expert Recognized Expert
Recognized Expert
JNPRdhanks
Posts: 282
Registered: ‎11-01-2010
0

Re: Can the SRX 240 just route packets between interfaces?

Options

‎03-22-2011 04:42 PM

Put the SRX in packet mode.

 

 

delete security
set security forwarding-options family mpls mode packet-based
set security forwarding-options family iso mode packet-based
set security forwarding-options family inet6 mode packet-based

 

 

Doug Hanks
JNCIE-ENT #213, JNCIE-SP #875

Follow me on Twitter @douglashanksjr
Message 2 of 4 (827 Views)
 
Reply
shotput87
Contributor
shotput87
Posts: 21
Registered: ‎02-21-2010
0

Re: Can the SRX 240 just route packets between interfaces?

Options

‎03-23-2011 12:20 PM

I certain ports to route and the rest to act as a firewall vpn device. is setting to mpls an all or nothing?

Message 3 of 4 (798 Views)
 
Reply
Distinguished Expert
Distinguished Expert
Screenie
Posts: 941
Registered: ‎01-10-2008
0

Re: Can the SRX 240 just route packets between interfaces?

Options

‎03-23-2011 02:26 PM

It sure is all or nothing. The whole box goes into packet mode. With filters you can do something like this:

 

firewall {

  family inet {

    filter <filter name> {

      term <term name> {

          from {…} ## Matching Conditions

           then {

            packet-mode; ## Warning: This action will bypass

            flow infrastructure!!

           accept;

          }

       }

     }

  }

}

 

 

Comes from this doc:

 

http://www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf

 

You could write a filter with just then packet-mode and accept as an action, no from clause. Apply to incomming interface, and all traffic on just that interface should be handled stateless. All other traffic statefull.

 

Just theory, never tried it. Please report back!

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Message 4 of 4 (787 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.