SRX Services Gateway
Highlighted
SRX Services Gateway

Multiple VLAN gateways on physical interface

[ Edited ]
‎10-11-2019 06:27 PM

I am trying to use an SRX 340 gateway to terminate multiple VLANs coming in from a switch on a VLAN trunk (tagged), and allow routing between two of them but not another.  The SRX does not need to switch the VLANs between any other ports.  I also serve up dhcp on one of the vlan interfaces.

 

I tried to do this the way I thought it should be done, with irb interfaces but I could not get it working.  I then tried it a different way using vlan sub-interfaces and I was able to get it working.  My understanding is that using sub interfaces is depricated so I want to get it working the proper way.

 

So my first question is how should I be approaching this.  Is using irb interfaces the right way to do it, or since I don't actually need to switch should I be doing it a different way?  The config I created for irb is as follows and I was not able to see arp requests of anything coming from the switch on any VLANs.

 

SRX firmware version is junos-srxsme-15.1X49-D160.2

 

set system host-name TEST_Q
set system time-zone GMT
set system services ssh
set system services telnet
set system services dhcp-local-server group dhcp_maint interface irb.20

set system services web-management http interface fxp0.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency

set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5

set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security address-book global address NM_SUBNET 10.207.8.0/24
set security address-book global address MAINT_SUBNET 10.207.22.0/24
set security address-book global address CORP_SUBNET 10.205.0.0/16
set security screen ids-option untrust-screen icmp ping-death

set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024

set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land

set security policies from-zone NetworkManagement to-zone Maintenance policy NM-MAINT match source-address NM_SUBNET
set security policies from-zone NetworkManagement to-zone Maintenance policy NM-MAINT match destination-address MAINT_SUBNET
set security policies from-zone NetworkManagement to-zone Maintenance policy NM-MAINT match application any
set security policies from-zone NetworkManagement to-zone Maintenance policy NM-MAINT then permit
set security policies from-zone Maintenance to-zone NetworkManagement policy MAINT-NM match source-address MAINT_SUBNET
set security policies from-zone Maintenance to-zone NetworkManagement policy MAINT-NM match destination-address NM_SUBNET
set security policies from-zone Maintenance to-zone NetworkManagement policy MAINT-NM match application any
set security policies from-zone Maintenance to-zone NetworkManagement policy MAINT-NM then permit

set security policies default-policy deny-all

set security zones security-zone NetworkManagement interfaces irb.10 host-inbound-traffic system-services ping
set security zones security-zone NetworkManagement interfaces irb.10 host-inbound-traffic system-services ntp
set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services ping
set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services ntp
set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services https
set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services ssh

set security zones security-zone CORP interfaces irb.30 host-inbound-traffic system-services ping
set interfaces fxp0 unit 0 family inet address 192.168.1.1/24

set interfaces ge-0/0/1 unit 0 family inet address 192.168.255.126/31
set interfaces ge-0/0/6 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members all

set interfaces irb unit 10 family inet address 10.207.8.1/24
set interfaces irb unit 20 family inet address 10.207.22.1/24
set interfaces irb unit 30 family inet address 10.207.62.1/24

set access address-assignment pool dhcp_pool_maint family inet network 10.207.22.0/24
set access address-assignment pool dhcp_pool_maint family inet range r1 low 10.207.22.101
set access address-assignment pool dhcp_pool_maint family inet range r1 high 10.207.22.125
set access address-assignment pool dhcp_pool_maint family inet dhcp-attributes maximum-lease-time 2419200
set access address-assignment pool dhcp_pool_maint family inet dhcp-attributes name-server 10.207.22.1
set access address-assignment pool dhcp_pool_maint family inet dhcp-attributes router 10.207.22.1


set vlans Corp vlan-id 30
set vlans Corp l3-interface irb.30
set vlans Maintenance vlan-id 20
set vlans Maintenance l3-interface irb.20
set vlans NetworkManagement vlan-id 10
set vlans NetworkManagement l3-interface irb.10

3 REPLIES 3
Highlighted
SRX Services Gateway
Solution
Accepted by topic author DoDo1975
‎10-11-2019 08:25 PM

Re: Multiple VLAN gateways on physical interface

[ Edited ]
‎10-11-2019 06:43 PM

Hi,

 

The configuration looks fine

 

L3 Interfaces and association with a sec-zone:

	set interfaces irb unit 10 family inet address 10.207.8.1/24
	set interfaces irb unit 20 family inet address 10.207.22.1/24
	set interfaces irb unit 30 family inet address 10.207.62.1/24
	
	set security zones security-zone NetworkManagement interfaces irb.10 host-inbound-traffic system-services ping 
	set security zones security-zone NetworkManagement interfaces irb.10 host-inbound-traffic system-services ntp
	set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services ping 
	set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services ntp
	set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services https
	set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services ssh

Vlans and association with its L3 interface:

	set vlans Corp vlan-id 30
	set vlans Corp l3-interface irb.30

	set vlans Maintenance vlan-id 20
	set vlans Maintenance l3-interface irb.20

	set vlans NetworkManagement vlan-id 10
	set vlans NetworkManagement l3-interface irb.10
	
Trunk facing the switch:

	set interfaces ge-0/0/6 unit 0 family ethernet-switching interface-mode trunk
	set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members all

Policies for permitting traffic between Maintenance and NetworkManagement zones:

	set security policies from-zone NetworkManagement to-zone Maintenance policy NM-MAINT match source-address NM_SUBNET
	set security policies from-zone NetworkManagement to-zone Maintenance policy NM-MAINT match destination-address MAINT_SUBNET
	set security policies from-zone NetworkManagement to-zone Maintenance policy NM-MAINT match application any
	set security policies from-zone NetworkManagement to-zone Maintenance policy NM-MAINT then permit
	set security policies from-zone Maintenance to-zone NetworkManagement policy MAINT-NM match source-address MAINT_SUBNET
	set security policies from-zone Maintenance to-zone NetworkManagement policy MAINT-NM match destination-address NM_SUBNET
	set security policies from-zone Maintenance to-zone NetworkManagement policy MAINT-NM match application any
	set security policies from-zone Maintenance to-zone NetworkManagement policy MAINT-NM then permit
	
DHCP for the Maintenance zone:

	set system services dhcp-local-server group dhcp_maint interface irb.20

	set access address-assignment pool dhcp_pool_maint family inet network 10.207.22.0/24
	set access address-assignment pool dhcp_pool_maint family inet range r1 low 10.207.22.101
	set access address-assignment pool dhcp_pool_maint family inet range r1 high 10.207.22.125
	set access address-assignment pool dhcp_pool_maint family inet dhcp-attributes maximum-lease-time 2419200
	set access address-assignment pool dhcp_pool_maint family inet dhcp-attributes name-server 10.207.22.1
	set access address-assignment pool dhcp_pool_maint family inet dhcp-attributes router 10.207.22.1

 

The above configuration will provide you with more scalability ( if needed in the future) but at the end of the day if you want to use a single interface with "sub-interfaces" and vlan-tagging it is also valid. It really depends on your current and future needs. For instance if you want to save ports, then using a single interface as a "Router-on-stick" will work just fine.

 

Can you check if your switch is configured for switching mode:

 

         >show ethernet-switching global-information

 

Also it will be good to see the configuration on the switch-port and create a L3 interface on that switch and confirm IP connectivity with the SRX. Also what is the version of your SRX?

 

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
Highlighted
SRX Services Gateway

Re: Multiple VLAN gateways on physical interface

‎10-11-2019 08:27 PM

Thanks, I dont know why but after creating the config with the sub interfaces and then wiping that and going back to the irb config after reading your reply, everything is working now.  Maybe a command got missed the first time that I didn't notice.

 

But I am thankful that I at least know my approach is valid.  Thanks

Highlighted
SRX Services Gateway

Re: Multiple VLAN gateways on physical interface

‎10-11-2019 09:32 PM

Dodo,

 

You are very welcome, Im glad it is working now.

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!