SRX Services Gateway
Highlighted
SRX Services Gateway

Basic question about VLANs, IRBs, and routing to the Internet

‎06-27-2017 09:08 AM

I am struggling to understand conceptually and put into practice which I should think is a basic function of my SRX router.  I have a Juniper SRX-340 cluster running JUNOS 15.1X49-D75.5.  I have configured several SRX clusters that support Intenet routing, port forwarding, and IPSEC VPN tunnels but had not had to work with VLANs before.

 

Also this is the first time I am configuring a router with a DMZ security zone.  This configuration (like others I have worked on) has two virtual routers for the two ISP.s  I am using rib-groups to import routes to/from the default routing instance to the two ISP routing instances.  I know that security zone Trust is in the default routing intance and assume that DMZ2 is.  I also have a DMZ1 zone configured without VLANs and that zone can access the Internet.

 

First, is it even possible for a Juniper SRX to support an interface configured as a trunked VLAN (family ethernet-switching) to also route traffic out to IPSEC tunnels and the Internet?  I read articles suggesting that since VLAN is an L2 interface there is no routing that takes place. I also read the only L3 traffic processed on such an interface would be for management traffic to the SRX.  It seems basic to me that a PC plugged into a switch whose VLAN tag is one of the VLANs in the trunked SRX interface can reach the Internet etc. 

 

If the answer is YES, then please take a look at the relevant code pieces below and see if I'm doing wrong.  If the answer is NO, then how else can I come up with a configuration to support this requirement?

 

Eric@SRX340A> show configuration interfaces irb | display set
set interfaces irb unit 100 family inet address 10.10.100.1/24
set interfaces irb unit 102 family inet address 10.10.102.1/24
set interfaces irb unit 103 family inet address 10.10.103.1/24

 

Eric@SRX340A> show configuration vlans | display set
set vlans vlan1 vlan-id 1
set vlans vlan1 l3-interface irb.100
set vlans vlan102 vlan-id 102
set vlans vlan102 l3-interface irb.102
set vlans vlan103 vlan-id 103
set vlans vlan103 l3-interface irb.103

 

Eric@SRX340A> show configuration interfaces reth4 | display set
set interfaces reth4 description DMZ2
set interfaces reth4 native-vlan-id 1
set interfaces reth4 redundant-ether-options redundancy-group 5
set interfaces reth4 unit 0 family ethernet-switching interface-mode trunk
set interfaces reth4 unit 0 family ethernet-switching vlan members vlan102
set interfaces reth4 unit 0 family ethernet-switching vlan members vlan103
set interfaces reth4 unit 0 family ethernet-switching vlan members vlan1

 

Eric@SRX340A> show configuration security zones security-zone DMZ2 | display set
set security zones security-zone DMZ2 host-inbound-traffic system-services all
set security zones security-zone DMZ2 interfaces irb.100
set security zones security-zone DMZ2 interfaces irb.102
set security zones security-zone DMZ2 interfaces irb.103


Eric@SRX340A> show security policies from-zone DMZ2 to-zone fiber (fiber is our ISP)
  Policy: permit-traffic, State: enabled, Index: 19, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit


Eric@SRX340A> show route 0.0.0.0/0 exact terse

inet.0: 24 destinations, 25 routes (23 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

A V Destination        P Prf   Metric 1   Metric 2  Next hop        AS path
* ? 0.0.0.0/0          S   5                       >1.2.3.4 (ISP1)
  ?                    S   5         10             Table

fiber.inet.0: 23 destinations, 23 routes (23 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

A V Destination        P Prf   Metric 1   Metric 2  Next hop        AS path
* ? 0.0.0.0/0          S   5                       >1.2.3.4 (ISP1)

spectrum.inet.0: 14 destinations, 14 routes (14 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

A V Destination        P Prf   Metric 1   Metric 2  Next hop        AS path
* ? 0.0.0.0/0          S   5                       >5.6.7.8 (ISP2)

 

 

 

1 REPLY 1
Highlighted
SRX Services Gateway

Re: Basic question about VLANs, IRBs, and routing to the Internet

‎06-27-2017 02:25 PM

Hi, the asnwer is yes. There are two ways you can do it.

 

Reth + subinterfaces

set interfaces reth4 description DMZ2
set interfaces reth4 vlan-tagging
set interfaces reth4 native-vlan-id 1
set interfaces reth4 redundant-ether-options redundancy-group 5
set interfaces reth4 unit 100 vlan-id 1
set interfaces reth4 unit 100 family inet address 10.10.100.1/24
set interfaces reth4 unit 102 vlan-id 102
set interfaces reth4 unit 102 family inet address 10.10.102.1/24
set interfaces reth4 unit 103 vlan-id 103
set interfaces reth4 unit 103 family inet address 10.10.103.1/24

set security zones security-zone DMZ2 host-inbound-traffic system-services all
set security zones security-zone DMZ2 interfaces reth4.100
set security zones security-zone DMZ2 interfaces reth4.102
set security zones security-zone DMZ2 interfaces reth4.103

I'm not sure if native vlan will work. I've never configured it on interface with subinterfaces. I don't see why it wouldn't work but I'm just not sure.

 

Reth as a trunk and vlan l3 interfaces

set interfaces vlan unit 100 family inet address 10.10.100.1/24
set interfaces vlan unit 102 family inet address 10.10.102.1/24
set interfaces vlan unit 103 family inet address 10.10.103.1/24

set vlans vlan1 vlan-id 1
set vlans vlan1 l3-interface vlan.100
set vlans vlan102 vlan-id 102
set vlans vlan102 l3-interface vlan.102
set vlans vlan103 vlan-id 103
set vlans vlan103 l3-interface vlan.103

set interfaces reth4 description DMZ2
set interfaces reth4 native-vlan-id vlan1
set interfaces reth4 redundant-ether-options redundancy-group 5
set interfaces reth4 unit 0 family ethernet-switching port-mode trunk
set interfaces reth4 unit 0 family ethernet-switching vlan members vlan102
set interfaces reth4 unit 0 family ethernet-switching vlan members vlan103

set security zones security-zone DMZ2 host-inbound-traffic system-services all
set security zones security-zone DMZ2 interfaces vlan.100
set security zones security-zone DMZ2 interfaces vlan.102
set security zones security-zone DMZ2 interfaces vlan.103

Regards,

Wojtek