SRX

I currently have a lab setup with the following configuration

[SRX Firewall]

      |

[EX Switch] - [SRX Firewall] - [Switch A]

      |

[SRX Firewall]

     |

[Switch B]

The links are trunked and are connected using L3 routed vlans. For example, from the top SRX interface:

ge-0/0/1 {
    unit 0 {
        description ge-0/0/1;
        family ethernet-switching {
            port-mode trunk;
            vlan {
                members [ vlan-trust VLAN10 VLAN11];
            }
            native-vlan-id 3;
        }
    }
}

Now, I have been asked to replace these link configurations with L3 subinterfaces. I have read the following document on configuring subinterfaces:

http://www.juniper.net/techpubs/en_US/junos9.3/topics/example/interfaces-layer3-subinterfaces-ex-series.html

Questions:

1)  Lets say I have a VLAN 33 on Switch A and I want it to be able to communicate with a VLAN 44 on Switch B. How would this be configured?

2) Expanding question one just a bit. Lets say I want VLAN 33 to reach the initial SRX Firewall and then be able to access internet. How would one configure SwitchA -> Firewall -> EX Switch -> Firewall (top)

3) Is it possible to use untagged VLANs. With RVIs I can specify a native-vlan-id.

TIA!

---

@junwbat wrote:

I currently have a lab setup with the following configuration

 

[SRX Firewall]

      |

[EX Switch] - [SRX Firewall] - [Switch A]

      |

[SRX Firewall]

     |

[Switch B]

 

The links are trunked and are connected using L3 routed vlans. For example, from the top SRX interface:

 

ge-0/0/1 {
    unit 0 {
        description ge-0/0/1;
        family ethernet-switching {
            port-mode trunk;
            vlan {
                members [ vlan-trust VLAN10 VLAN11];
            }
            native-vlan-id 3;
        }
    }
}

 

Now, I have been asked to replace these link configurations with L3 subinterfaces. I have read the following document on configuring subinterfaces:

 

http://www.juniper.net/techpubs/en_US/junos9.3/topics/example/interfaces-layer3-subinterfaces-ex-series.html

 

Questions:

 

1)  Lets say I have a VLAN 33 on Switch A and I want it to be able to communicate with a VLAN 44 on Switch B. How would this be configured?

 

 

 

2) Expanding question one just a bit. Lets say I want VLAN 33 to reach the initial SRX Firewall and then be able to access internet. How would one configure SwitchA -> Firewall -> EX Switch -> Firewall (top)

 

Why putting a switch between the two firewalls ? and why the two firewalls ? are they the same type of SRX ?

 

3) Is it possible to use untagged VLANs. With RVIs I can specify a native-vlan-id.

 It is possible to use untagged vlans, the only thing is I have no idea how your network looks like and how it should

be after a change of config.

 

 

TIA!

---

2) Expanding question one just a bit. Lets say I want VLAN 33 to reach the initial SRX Firewall and then be able to access internet. How would one configure SwitchA -> Firewall -> EX Switch -> Firewall (top)

Why putting a switch between the two firewalls ?

It is a simulation. We often rework these simulations with our spare parts. There are often nested layers of firewalls within a corporate structure.

and why the two firewalls ? are they the same type of SRX ?

The firewalls are all 240 SRXs except for one, which is a 210. I have recently removed one of the firewalls and switches to make it simpler:

[SRX210]

    |

[EX3200]

    |

[SRX240]

    |

[Cisco 3750]

The ex3200 in this scenario is emulating a distribution switch. SRX 210 is emulating the gateway to the internet. The uplink from the ex3200 should be subinterface. For example:

SRX210: (port ge-0/0/1 is link to EX3200)

set interfaces ge-0/0/1 unit 10 vlan-id 10 family inet address 172.19.10.1/24

EX3200: (port ge-0/0/8 is link to SRX210)

set interfaces ge-0/0/8 unit 10 vlan-id 10 family inet address 172.19.10.2/24

In essense this the router on stick using subinterfaces (not RVIs).

This leads into some of my questions.

1) How would I connect the SRX240 to the EX using a subinterface.

EX3200: (port ge-0/0/7 is link to SRX240)

set interfaces ge-0/0/7 unit 10 vlan-id 10 family inet address 172.19.10.???/24

SRX240: (port ge-0/0/15 is link to EX3200)

set interfaces ge-0/0/15 unit 10 vlan-id 10 family inet address 172.19.10.3/24

2) Can a L3 subinterface be configured to connect into a Cisco Switch  How would it be configured on the Cisco and SRX 240 side. Can a native VLAN be passed through this trunked port?

1) How would I connect the SRX240 to the EX using a subinterface.

EX3200: (port ge-0/0/7 is link to SRX240)
set interfaces ge-0/0/7 unit 10 vlan-id 10 family inet address 172.19.10.???/24

SRX240: (port ge-0/0/15 is link to EX3200)
set interfaces ge-0/0/15 unit 10 vlan-id 10 family inet address 172.19.10.3/24

unit 10 is the sub-interface

Here is a little basics about the L-3 interface.

So when you create vlans, you are creating separate broadcas domains. So you would need a router to router traffic between them. On the switch, you can create "router" to route between the vlans using a Layer 3 interface named vlan.x and adding family inet with address, then linking that interface to the vlan. If the vlans are on different devices, then you would need a trunk port to carry the tagged traffic from the switch to the SRX. You typically create the vlan interface on the distribution switches. Or if you have a single switch with multuple vlan and you want to route traffic between then, you can use the RVI

"correction"

Thanks Lyndidon,

In almost all the examples I see everyone uses SVIs. But, I find those examples too simplistic and they don't take into account intervlan security. So, I am looking at different architectures and looking at how they would should be properly configured and secured. For example, a common network design would be the following (failover not included): 

                                 Internet (or Untrusted)
                                              |
                                              |
                                        Router
                                              |
                                              |
                                       Firewall
                                              |
                                              |
                                   Layer-3 Switch (AKA Distro Switch)
                                       |      |     |
                                       |      |     |
                               Layer-2 |  Layer-2
                                Switch  |  Switch
                                              |
                                  Layer-2 Switch

NOTE: Often the firewall/router can be crunched into one device.

So, from our arsenal of connection types. How do we force traffic from Layer-2 through the distribution and up to the firewall before it is routed to another VLAN. This traffic can orginate from a server from the same switch, or from on another switch connected to the Distribution Switch.

I do know that if I configure SVIs on the distribution switch, then it is possible for routing to occur before the firewall is reached.

TIA!

Create a layer 3 interface (RVI), add an IP address and associate it with the relevant vlans. The host on each subnet/vlan will use the IP address of the L3 interface as their gateway.

SW-A

set interfaces vlan.33 family inet address<10.10.10.1/24>

set vlan v33 l3-interface vlan.33

SW-B

set interfaces vlan.44 family inet address<10.10.10.2/24>

set vlan v44 l3-interface vlan.44