SRX Services Gateway
SRX Services Gateway

Do we still need to put secondary ip on srx same as netscreen?

10.10.17   |  
2 weeks ago

Hi All,

 

Lets say the current screenos config have secondary ip on interface. The purpose of this secondary ip is because the ccurrent public ip address on the interface already full. In other word purposed for MIP. Example like below:

 

set interface ethernet2/1.420:1 ip 40.30.20.1 255.255.255.240

set interface ethernet2/1.420:1 ip 40.30.31.70 255.255.255.240 secondary

set interface ethernet2/1.420:1 ip 50.70.31.70 255.255.255.240 secondary

 

 

So in SRX do we need also put secondary ip on that interface? Or we just create the pool under source-nat / destination-nat?

 

Thanks and appreciate any feedback

3 REPLIES
Highlighted
SRX Services Gateway

Re: Do we still need to put secondary ip on srx same as netscreen?

10.10.17   |  
2 weeks ago

Hi,

 

You will still need to do the address definition outside of nat-rules.

 

There are two ways to solve this: defining extra IPs on the interface as on ScreenOS or do proxy-arp for the extra addresses.

 

Example with extra IP - preferred defines which IP will be used as source if traffic is generated from the device and not specific source is defined.

 

jonas@fw# show interfaces ge-0/0/2.10
vlan-id 10;
family inet {
    address 10.10.10.2/24;
    address 10.10.10.1/24 {
        preferred;
    }
}

Example with proxy-arp. There you would only have 10.10.10.1/24 defined on ge-0/0/2.10

 

jonas@fw# show security nat proxy-arp
interface ge-0/0/2.10 {
    address {
        10.10.10.3/32 to 10.10.10.5/32;
    }
}

I hope this clarifies :-)

--
Best regards,

Jonas Hauge Jensen
Systems Engineer, SEC Datacom A/S (Denmark)
SRX Services Gateway

Re: Do we still need to put secondary ip on srx same as netscreen?

10.10.17   |  
2 weeks ago

Hi ,

 

 

So the easy word all the new segment (segment ip) will be assign proxy-arp right? If i choose the first method, so i dont need any proxy-arp?

 

Thanks and appreciate your clarification.

SRX Services Gateway

Re: Do we still need to put secondary ip on srx same as netscreen?

10.10.17   |  
2 weeks ago

Hi 

 

--
Best regards,

Jonas Hauge Jensen
Systems Engineer, SEC Datacom A/S (Denmark)