SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  security-zones multiple interfaces configuration

    Posted 07-29-2014 02:52

    G'day,

     

    Here are ways we can config multiple interfaces with security-zones:

    # method 1

    security-zone dmz {
                interfaces {
                    fe-0/0/2.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                    }
                }
            }

                    fe-0/0/3.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                    }
                }
            }
        }
    }

     

    or

    # Method 2

    security-zone dmz {
                host-inbound-traffic {
                       system-services {
                            all;
                    }
                }
                interfaces {
                    fe-0/0/2.0;
                    fe-0/0/3.0;
            }
        }

    Q1, Is there any difference between the two methods? and

     

    I was wondering if we can do this:

    # Method 3

    security-zone dmz {
                interfaces {
                    [ fe-0/0/2.0 fe-0/0/3.0 ];
                                      {
                        host-inbound-traffic {
                            system-services {
                                all;
                    }
                }
            }
        }
    }

     

    Any comments are welcomed.

     

    Cheers,

     

    Bob

     



  • 2.  RE: security-zones multiple interfaces configuration
    Best Answer

     
    Posted 07-29-2014 03:16

    Method#3 is not possible. In your sample configuration there is no difference between method#1 and Method#2.

     

    But consider the below example, in this ge-0/0/0 and ge-0/0/1 are under zone trust under which we have enabled "system service all", but since you have specified only "system service ping" under interface "ge-0/0/1", it will allow only ping on ge-0/0/1.

     

    Interface level configuration take precedence over zone level.

     

    root@SRX-1# show security zones
    security-zone trust {
        host-inbound-traffic {
            system-services {
                all;
            }
            protocols {
                all;
            }
        }
        interfaces {
            ge-0/0/0.0;
            ge-0/0/1.0 {
                host-inbound-traffic {
                    system-services {
                        ping;
                    }
                }
            }
        }
    }

     

     

    Thanks,

    Suraj

     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

     

     



  • 3.  RE: security-zones multiple interfaces configuration

    Posted 07-29-2014 14:31

    Hi Suraj,

     

    Thank you for your prompt reply.

     

    It does help.

     

    Cheers,

     

    Bob