Ethernet Switching
Ethernet Switching

VLANs to SRX Configuration

‎05-09-2016 10:59 AM

Hi All:

 

I have a VC consisting of an EX4550-32F and an EX4200-48T on which there are two VLANs. These are connected to a SRX240H, each EX vlan with it's own SRX interface.

The vlans on the EX are currently configured as follows:

   vlans {

      data_centre {

         vlan-id 89;

         l3-interface vlan.89;

      }

      dmz {

         vlan-id 88;

      }

   }

 

The VLAN interface configuration on the EX is below:

   interfaces vlan {

      unit 89 {

         family inet {

            address 10.89.50.253/16;

         }

      }

      unit 88 {

         family inet {

            address 10.88.50.253/16;

         }

      }

   }

 

EX Routing options:

static route 0.0.0.0/0 next-hop 10.89.50.254;

 

EX Interface assigment to VLANs:

On thte EX VC we have xe0/0/0 - xe0/0/31, ge-1/0/12 - ge-1/0/47 configured for data_centre VLAN

and ge-1/0/0 to ge-1/0/11 configured for the dmz.

 

Each VLAN has one interface physically connected to an interface on an SRX 240H.

SRX ge-0/0/6.0 ----- EX ge-1/0/0.0    (dmz)

SRX ge-0/0/7.0 ----- EX ge-1/0/12.0  (data_centre)

 

SRX VLAN interfaces are configured as follows:

   interfaces vlan {

      unit 88 {

         family inet {

            10.88.50.254/16;

         }

      }

      unit 89 {

         family inet {

            address 10.89.50.254/16;

         }

      }

     

SRX interfaces:  

    ge-0/0/6.0 {

         family ethernet-switching {

            port-mode trunk;

            vlan {

               members dmz-88;

            }

         }

      }

      ge-0/0/7.0 {

         family ethernet-switching {

            port-mode trunk;

            vlan {

               members datactr;

            }

         }

      }

 

SRX VLANs configuration:

   vlans {

      datactr {

         vlan-id 89;

         l3-interface vlan.89;

         }

      }

      dmz-88 {

         vlan-id 88;

         l3-interface vlan.88

         }

      }

   }

 

My Problem

The problem I am experiencing with this configuration is the routing of 10.88.xx.xx traffic. It appears to ingress via the SRX interface ge-0/0/6.0 but then returns via vlan.89 and SRX interface ge-0/0/7.0

 

I believe the problem lies with the EX VLANS configuration of dmz-88 which does not have an l3-interface configured and the EX qonly has one static route to 10.89.50.254. 

 

Posible Fix?

Firstly I want to stop the traffic traversing the VLANs on the EX, would I achieve this using firewall filters?

Second I need to fix the routing of the 10.88.xx.xx traffic. Could this be done by adding the l3-interface to the dmz-88 vlan and adding a static route from teh EX to 10.88.50.254 (SRX) ?

 

Any comments or assistance would be greatly appreciated.

 

 

 

Footy-Smurf
2 REPLIES 2
Ethernet Switching

Re: VLANs to SRX Configuration

‎05-10-2016 03:41 AM

It sounds like you don't want routing for this vlan to occur on the EX.  If that is the case, you should simply delate the layer 3 RVI (routed vlan interface). They are only created when you do want routing to occur on the switch.

 

On the SRX connections, I assume these are here for redundancy since the two switches are in a VC.  The VC should be treated as a single switch so I assume the reason you are creating the two connections is for failover redundancy in the event of issues.  If so, the more typical SRX configuration would be:

 

Create a reth interface and make both physical interfaces a member

Delete the vlan RVI and VLAN

Create the layer three address and vlan tag on the reth interface unit 89

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Ethernet Switching

Re: VLANs to SRX Configuration

‎05-19-2016 02:51 PM
hi stuartce, - You can fix your DMZ connectivity by pointing your DMZ servers gateway to SRX dmz interface (10.88.50.254). - Dont think dmz L3 interface in EX is needed in this particular instance unless you have other good reason. - I would suggest you to convert SRX-EX link from trunk to access if no other VLANs are planned to traversed over those links - Another option is to standup link-agg (LACP) and trunk all your VLANS Alex