SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  srx550 routing between private vlans

    Posted 08-12-2012 01:13

    Having an odd problem (new to Junos, so may be obvious to everyone else). I have a WAN link, a public IP space, plus three private networks, all being run over a trunk to a cisco 2960G. The systems on the public IP space can talk out to the world no problem. NAT is set up and working great - systems on the private network can talk to the world no problem. However, the private network systems can't talk to each other even when they're all in the 'trust' group and the security policy explicily allows trust-to-trust traffic!

     

    interfaces {
...
    ge-0/0/2 {
        description "bgp peering";
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            family inet {
                address <redacted>;
            }
        }
    }
...
    ge-0/0/5 {
        gigether-options {
            no-loopback;
            auto-negotiation;
        }
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members all;
                }
            }
        }
    }

     

        vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
        unit 300 {
            family inet {
                address publicnetwork/25;
            }
        }
        unit 350 {
            family inet {
                address 10.30.0.1/24;
            }
        }
        unit 351 {
            family inet {
                address 10.30.10.1/24;
            }
        }
        unit 352 {
            family inet {
                address 10.30.20.1/24;
            }
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet populate-inet2;
        family inet {
            export {
                lan;
            }
        }
    }
    rib inet.2 {
        aggregate {
            route publicnetwork/25 passive;
        }
    }
    rib-groups {
        populate-inet2 {
            import-rib [ inet.0 inet.2 ];
        }
    }
}
...
security {
    nat {
        source {
            pool nat-pool-1 {
                address {
                    blah to blah;
                }
            }
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            pool {
                                nat-pool-1;
                            }
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone trust {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy blah-to-trust {
                match {
                    source-address blah-network;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy untrust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    reject;
                }
            }
        }
        default-policy {
            deny-all;
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
                vlan.300 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
                vlan.350 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
                vlan.351 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
                vlan.352 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
                ge-0/0/5.0;
            }
        }
        security-zone untrust {
            tcp-rst;
            address-book {
                address blah-network blah-network;
            }
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
                ge-0/0/2.0 {
                    host-inbound-traffic {
                        protocols {
                            bgp;
                        }
                    }
                }
            }
        }
    }
}

     

    Any ideas?

     



  • 2.  RE: srx550 routing between private vlans

    Posted 08-13-2012 01:27

    Hi

     

    Config looks good to me. However, you can delete ge-0/0/5.0 from trust zone,
    do "commit full" (hidden command) and try the same.

     

    Also when initiating some traffic between private LANs, can
    you check if there are corresponding sessions in "show sec flow session" output?
    (If yes, post here plz).

     

    Also, what are you exporting to interface-routes (policy "lan")? Did you
    try the same without it?



  • 3.  RE: srx550 routing between private vlans
    Best Answer

    Posted 08-13-2012 14:35

    Thanks for the help. I figured it out... the system in question was multi-homed and was using the wrong route for the address I was trying to use. This is explained in more detail here: https://sivel.net/2006/12/linux-multi-homing/

     

    Good to know about commit full and that I don't need the trunk in the trusted network. I wasn't sure about that, and I guess I forgot to go back and check. Thanks again for hte reply.