SRX Services Gateway
SRX Services Gateway

SRX VLAN Logical Interfaces

‎03-01-2019 11:47 AM

Hello,

 

I have a few switches connected in an RSTP ethernet ring.  I would like to use Juniper SRX 340 as my gateway for all the applications and to permit and deny routing between the vlans on the ring.  I will be using two SRXs and VRRP to elect the master gateway.

 

I have 8 applications, each on a separate VLAN and subnet.  The Junipers needs to be able to participate in each VLAN, and have a logical IP address for each VLAN (as well as a shared VRRP address for each subnet that is available on both).

 

I think I know how to do most of this however I haven't been able to find examples of creating VLAN interfaces that aren't attached to physical interfaces.  So hopefully someone can tell me how to do that part only.  So I will have two physical ports that are trunk ports and members of each VLAN, then 8 logical interfaces with IP addresses 1 for each VLAN.  Then all traffic destined for outside networks will be routed out 1 of 2 uplink ports to other networks. 

 

If I can get info on how to create logical L3 interfaces attached to the VLAN without a physical interface I can probably figure out all the VRRP and other stuff myself.


Thanks

9 REPLIES 9
SRX Services Gateway
Solution
Accepted by topic author DoDo1975
‎03-04-2019 08:46 AM

Re: SRX VLAN Logical Interfaces

‎03-01-2019 12:35 PM


1. Define vlans
set vlan-10 vlan-id 10
set vlan-10 l3-interface irb.10;
set vlan-20 vlan-id 20
set vlan-20 l3-interface irb.20;
set vlan-30 vlan-id 30
set vlan-30 l3-interface irb.30;
set vlan-40 vlan-id 40
set vlan-40 l3-interface irb.40;
set vlan-50 vlan-id 50
set vlan-50 l3-interface irb.50;
set vlan-60 vlan-id 60
set vlan-60 l3-interface irb.60;
set vlan-70 vlan-id 70
set vlan-70 l3-interface irb.70;
set vlan-80 vlan-id 80
set vlan-80 l3-interface irb.80;

2. Configure l3 interface for each vlans.
set interfaces irb unit 10 family inet address 192.168.10.1/24
set interfaces irb unit 20 family inet address 192.168.20.1/24
set interfaces irb unit 30 family inet address 192.168.30.1/24
set interfaces irb unit 40 family inet address 192.168.40.1/24
set interfaces irb unit 50 family inet address 192.168.50.1/24
set interfaces irb unit 60 family inet address 192.168.60.1/24
set interfaces irb unit 70 family inet address 192.168.70.1/24
set interfaces irb unit 80 family inet address 192.168.80.1/24

3. Configure the interface as trunks and allow all the vlans or only the configured 8 vlans to the interface
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members [all or add 8 vlan-name]

4. Configure security zone and add the irb interfaces to it. You may use same zone or use different zone for each vlan

set security zones security-zone trust interfaces irb.10
set security zones security-zone trust interfaces irb.20
set security zones security-zone trust interfaces irb.30
set security zones security-zone trust interfaces irb.40
set security zones security-zone trust interfaces irb.50
set security zones security-zone trust interfaces irb.60
set security zones security-zone trust interfaces irb.70
set security zones security-zone trust interfaces irb.80

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all

 

5. Configure security policies. [as per this config trust to trust]

6. Configure vrrp and other stuff

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: SRX VLAN Logical Interfaces

‎03-01-2019 01:21 PM

This appears to work however I had to put the keyword vlans after the set command.

 

However, all the irb interfaces are in down state.  How do I bring them up?

SRX Services Gateway

Re: SRX VLAN Logical Interfaces

‎03-01-2019 05:59 PM

In order for an irb interface to come up at least one physical interface in the same vlan has to be link up. 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: SRX VLAN Logical Interfaces

‎03-01-2019 07:15 PM

There is a physical interface trunked vlan and it is up.  All vlans are on this interface.

SRX Services Gateway

Re: SRX VLAN Logical Interfaces

‎03-01-2019 07:59 PM

Hi,

 

I did a quick lab test. Interface was down after the commit. I had to reboot the firewall to get the irb interface up since I was switching from route mode to mix mode.

 

root@srx# commit
warning: Interfaces are changed from route mode to mix mode. Please use the command request system reboot on current node or all nodes in case of HA cluster!
commit complete

 

Configuration:

set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan100
set interfaces irb unit 100 family inet address 192.168.100.10/24
set vlans vlan100 vlan-id 100
set vlans vlan100 l3-interface irb.100

 

Interface Status:

root@srx> show interfaces irb terse
Interface Admin Link Proto Local Remote
irb up up
irb.100 up up inet 192.168.100.10/2

 

Which platform and version are you using?

 

I hope this helps.

 

Regards,

 

Vikas

SRX Services Gateway

Re: SRX VLAN Logical Interfaces

[ Edited ]
‎03-04-2019 08:29 AM

OK, I got confused between ge-0/0/0 and ge-0/0/1.

 

They are up now

SRX Services Gateway

Re: SRX VLAN Logical Interfaces

‎03-04-2019 09:49 AM

I must be missing something here.  I cannot add an IRB interface to a security zone.  Not sure how I can route between subnets without a zone, but if I can route between different IRBs without a zone I don't know how I can prevent routing between some VLANs.

 

My Junos version is JUNOS 15.1X49-D35

SRX Services Gateway

Re: SRX VLAN Logical Interfaces

[ Edited ]
‎03-04-2019 10:28 AM

Intergrated routing and bridging (IRB) feature is introduced from Junos OS 15.1X49-D40 onwards. Please upgrade to D40 or higher version. Recommended to use  JTAC recommended version (Refer this link: https://kb.juniper.net/InfoCenter/index?page=content&id=kb21476#srx_series)

https://apps.juniper.net/feature-explorer/feature-info.html?fKey=2219&fn=Integrated%20routing%20and%...)

IRB configuration: https://www.juniper.net/documentation/en_US/release-independent/solutions/information-products/pathw...

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: SRX VLAN Logical Interfaces

[ Edited ]
‎03-05-2019 08:06 AM

Thanks, I noow have updated firmare and things are starting to work as they should.  I still have two issues I can't figure out though.  At the moment I have two SRX 340 firewalls.  THey are connected together via a vlan trunk (on all vlans).  There is a Maintenance vlan configured that should be routable to all other vlans and VRRP providing a gateway IP for that VLAN.  I also have a DHCP server configured on that vlan.

 

I have a laptop connected to a port on SRX 2 and that port is also on the maintenance vlan.  I get an IP address without issue and can ping the l3 irb IP address on both SRX switches.  

 

Problem 1 - I cannot ping the VRRP address.  VRRP appears to work, one is in master and one is in backup mode but I cannot ping the shared IP.  The accept-data flag is set.

 

Problem 2 - I have setup policies between vlans so my maintenance vlan can communicate with the other VLANs, however I cannot ping any vlan interfaces on SRX 1 (which is the VRRP master) from the laptop.  The policies are set and incoming ping services are allowed on the interfaces.

 

Hopefully someone can help me solve these two issues.  They may be related?  I have included my configs below.  They are almost the same, just different IP addresses, VRRP config and DHCP pools.

 

SRX1:

set version 15.1X49-D45
set system host-name OPS-KOC-A
set system time-zone GMT
set system root-authentication encrypted-password "$5$jAAwwN6v$Cd4FbXRkBh4d4hK2LxLyzUQE3DRf5HuDuXZUO936fr5"
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system name-resolution no-resolve-on-input
set system login user admin uid 2002
set system login user admin class super-user
set system login user admin authentication encrypted-password "$5$trBTfuvQ$fkkoVuImv1MC3mI6cH0EfsRmpkX5KmX8JdB2DRMu7Q."
set system services ssh
set system services telnet
set system services dhcp-local-server group g1 interface irb.20
set system services web-management http interface fxp0.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp server us.ntp.pool.org
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone Maintenance to-zone NetworkManagement policy M-NM match source-address any
set security policies from-zone Maintenance to-zone NetworkManagement policy M-NM match destination-address any
set security policies from-zone Maintenance to-zone NetworkManagement policy M-NM match application any
set security policies from-zone Maintenance to-zone NetworkManagement policy M-NM then permit
set security policies from-zone NetworkManagement to-zone Maintenance policy M-NM match source-address any
set security policies from-zone NetworkManagement to-zone Maintenance policy M-NM match destination-address any
set security policies from-zone NetworkManagement to-zone Maintenance policy M-NM match application any
set security policies from-zone NetworkManagement to-zone Maintenance policy M-NM then permit
set security policies from-zone Maintenance to-zone GeneralDeviceManagement policy M-GDM match source-address any
set security policies from-zone Maintenance to-zone GeneralDeviceManagement policy M-GDM match destination-address any
set security policies from-zone Maintenance to-zone GeneralDeviceManagement policy M-GDM match application any
set security policies from-zone Maintenance to-zone GeneralDeviceManagement policy M-GDM then permit
set security policies from-zone GeneralDeviceManagement to-zone Maintenance policy M-GDM match source-address any
set security policies from-zone GeneralDeviceManagement to-zone Maintenance policy M-GDM match destination-address any
set security policies from-zone GeneralDeviceManagement to-zone Maintenance policy M-GDM match application any
set security policies from-zone GeneralDeviceManagement to-zone Maintenance policy M-GDM then permit
set security policies from-zone Maintenance to-zone EngineeringAccess policy M-EA match source-address any
set security policies from-zone Maintenance to-zone EngineeringAccess policy M-EA match destination-address any
set security policies from-zone Maintenance to-zone EngineeringAccess policy M-EA match application any
set security policies from-zone Maintenance to-zone EngineeringAccess policy M-EA then permit
set security policies from-zone EngineeringAccess to-zone Maintenance policy M-EA match source-address any
set security policies from-zone EngineeringAccess to-zone Maintenance policy M-EA match destination-address any
set security policies from-zone EngineeringAccess to-zone Maintenance policy M-EA match application any
set security policies from-zone EngineeringAccess to-zone Maintenance policy M-EA then permit
set security zones security-zone NetworkManagement host-inbound-traffic system-services all
set security zones security-zone NetworkManagement interfaces irb.10 host-inbound-traffic system-services all
set security zones security-zone NetworkManagement interfaces irb.10 host-inbound-traffic protocols all
set security zones security-zone Maintenance host-inbound-traffic system-services all
set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services all
set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic protocols all
set security zones security-zone IonMeters host-inbound-traffic system-services all
set security zones security-zone IonMeters interfaces irb.13 host-inbound-traffic system-services all
set security zones security-zone IonMeters interfaces irb.13 host-inbound-traffic protocols all
set security zones security-zone GeneralDeviceManagement host-inbound-traffic system-services all
set security zones security-zone GeneralDeviceManagement interfaces irb.9 host-inbound-traffic system-services all
set security zones security-zone GeneralDeviceManagement interfaces irb.9 host-inbound-traffic protocols all
set security zones security-zone EngineeringAccess host-inbound-traffic system-services all
set security zones security-zone EngineeringAccess interfaces irb.21 host-inbound-traffic system-services all
set security zones security-zone EngineeringAccess interfaces irb.21 host-inbound-traffic protocols all
set security zones security-zone DFR host-inbound-traffic system-services all
set security zones security-zone DFR interfaces irb.14 host-inbound-traffic system-services all
set security zones security-zone DFR interfaces irb.14 host-inbound-traffic protocols all
set security zones security-zone Internal
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members all
set interfaces ge-0/0/2 unit 0 family inet
set interfaces ge-0/0/3 unit 0 family inet
set interfaces ge-0/0/4 unit 0 family inet
set interfaces ge-0/0/5 unit 0 family inet
set interfaces ge-0/0/6 unit 0 family inet
set interfaces ge-0/0/7 unit 0 family inet
set interfaces fxp0 unit 0 family inet address 192.168.1.1/24
set interfaces irb unit 9 family inet address 10.207.10.3/23
set interfaces irb unit 10 family inet address 10.207.8.3/24
set interfaces irb unit 13 family inet address 10.207.50.3/23
set interfaces irb unit 14 family inet address 10.207.48.3/23
set interfaces irb unit 20 family inet address 10.207.22.3/24 vrrp-group 20 virtual-address 10.207.22.1
set interfaces irb unit 20 family inet address 10.207.22.3/24 vrrp-group 20 priority 200
set interfaces irb unit 20 family inet address 10.207.22.3/24 vrrp-group 20 accept-data
set interfaces irb unit 20 family inet address 10.207.22.3/24 vrrp-group 20 track interface irb.20 priority-cost 200
set interfaces irb unit 21 family inet address 10.207.24.3/21
set routing-options static route 0.0.0.0/0 next-hop 10.207.22.3
set protocols l2-learning global-mode switching
set access address-assignment pool p1 family inet network 10.207.22.0/24
set access address-assignment pool p1 family inet range r1 low 10.207.22.101
set access address-assignment pool p1 family inet range r1 high 10.207.22.125
set access address-assignment pool p1 family inet dhcp-attributes maximum-lease-time 2419200
set access address-assignment pool p1 family inet dhcp-attributes name-server 10.207.22.1
set access address-assignment pool p1 family inet dhcp-attributes router 10.207.22.1
set vlans Corp vlan-id 30
set vlans Corp l3-interface irb.30
set vlans DFR vlan-id 14
set vlans DFR l3-interface irb.14
set vlans Engineering vlan-id 21
set vlans Engineering l3-interface irb.21
set vlans GeneralDeviceManagement vlan-id 9
set vlans GeneralDeviceManagement l3-interface irb.9
set vlans Ion vlan-id 13
set vlans Ion l3-interface irb.13
set vlans Maintenance vlan-id 20
set vlans Maintenance l3-interface irb.20
set vlans NetworkManagement vlan-id 10
set vlans NetworkManagement l3-interface irb.10
set vlans Phones vlan-id 31
set vlans Phones l3-interface irb.31
set vlans VHF vlan-id 16
set vlans VHF l3-interface irb.16
set vlans Video vlan-id 32
set vlans Video l3-interface irb.32

 

SRX2

set version 15.1X49-D45
set system host-name SCC
set system time-zone GMT
set system root-authentication encrypted-password "$5$49q.90sE$fMyWz9qOLJzItFpRwrs6dIzKkNyIRdzVfpt4yXypD64"
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system name-resolution no-resolve-on-input
set system login user admin uid 2000
set system login user admin class super-user
set system login user admin authentication encrypted-password "$5$AO4gzXBq$iBIwPMvx7GthLZJzKjBR5TfIEXFZXIFjYBwlgyAult8"
set system services ssh
set system services telnet
set system services dhcp-local-server group g1 interface irb.20
set system services web-management http
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp server us.ntp.pool.org
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone Maintenance to-zone NetworkManagement policy M-NM match source-address any
set security policies from-zone Maintenance to-zone NetworkManagement policy M-NM match destination-address any
set security policies from-zone Maintenance to-zone NetworkManagement policy M-NM match application any
set security policies from-zone Maintenance to-zone NetworkManagement policy M-NM then permit
set security policies from-zone NetworkManagement to-zone Maintenance policy M-NM match source-address any
set security policies from-zone NetworkManagement to-zone Maintenance policy M-NM match destination-address any
set security policies from-zone NetworkManagement to-zone Maintenance policy M-NM match application any
set security policies from-zone NetworkManagement to-zone Maintenance policy M-NM then permit
set security policies from-zone Maintenance to-zone GeneralDeviceManagement policy M-GDM match source-address any
set security policies from-zone Maintenance to-zone GeneralDeviceManagement policy M-GDM match destination-address any
set security policies from-zone Maintenance to-zone GeneralDeviceManagement policy M-GDM match application any
set security policies from-zone Maintenance to-zone GeneralDeviceManagement policy M-GDM then permit
set security policies from-zone GeneralDeviceManagement to-zone Maintenance policy M-GDM match source-address any
set security policies from-zone GeneralDeviceManagement to-zone Maintenance policy M-GDM match destination-address any
set security policies from-zone GeneralDeviceManagement to-zone Maintenance policy M-GDM match application any
set security policies from-zone GeneralDeviceManagement to-zone Maintenance policy M-GDM then permit
set security policies from-zone Maintenance to-zone EngineeringAccess policy M-EA match source-address any
set security policies from-zone Maintenance to-zone EngineeringAccess policy M-EA match destination-address any
set security policies from-zone Maintenance to-zone EngineeringAccess policy M-EA match application any
set security policies from-zone Maintenance to-zone EngineeringAccess policy M-EA then permit
set security policies from-zone EngineeringAccess to-zone Maintenance policy M-EA match source-address any
set security policies from-zone EngineeringAccess to-zone Maintenance policy M-EA match destination-address any
set security policies from-zone EngineeringAccess to-zone Maintenance policy M-EA match application any
set security policies from-zone EngineeringAccess to-zone Maintenance policy M-EA then permit
set security zones security-zone Internal
set security zones security-zone NetworkManagement host-inbound-traffic system-services all
set security zones security-zone NetworkManagement interfaces irb.10 host-inbound-traffic system-services all
set security zones security-zone NetworkManagement interfaces irb.10 host-inbound-traffic protocols all
set security zones security-zone Maintenance host-inbound-traffic system-services all
set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic system-services all
set security zones security-zone Maintenance interfaces irb.20 host-inbound-traffic protocols all
set security zones security-zone IonMeters host-inbound-traffic system-services all
set security zones security-zone IonMeters interfaces irb.13 host-inbound-traffic system-services all
set security zones security-zone IonMeters interfaces irb.13 host-inbound-traffic protocols all
set security zones security-zone GeneralDeviceManagement host-inbound-traffic system-services all
set security zones security-zone GeneralDeviceManagement interfaces irb.9 host-inbound-traffic system-services all
set security zones security-zone GeneralDeviceManagement interfaces irb.9 host-inbound-traffic protocols all
set security zones security-zone EngineeringAccess host-inbound-traffic system-services all
set security zones security-zone EngineeringAccess interfaces irb.21 host-inbound-traffic system-services all
set security zones security-zone EngineeringAccess interfaces irb.21 host-inbound-traffic protocols all
set security zones security-zone DFR host-inbound-traffic system-services all
set security zones security-zone DFR interfaces irb.14 host-inbound-traffic system-services all
set security zones security-zone DFR interfaces irb.14 host-inbound-traffic protocols all
set security zones security-zone trust
set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members Maintenance
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members all
set interfaces ge-0/0/2 unit 0 family inet
set interfaces ge-0/0/3 unit 0 family inet
set interfaces ge-0/0/4 unit 0 family inet
set interfaces ge-0/0/5 unit 0 family inet
set interfaces ge-0/0/6 unit 0 family inet
set interfaces ge-0/0/7 unit 0 family inet
set interfaces ge-0/0/9 unit 0 family inet
set interfaces fxp0 unit 0 family inet address 192.168.1.2/24
set interfaces irb unit 9 family inet address 10.207.10.5/23
set interfaces irb unit 10 family inet address 10.207.8.5/24
set interfaces irb unit 13 family inet address 10.207.50.5/23
set interfaces irb unit 14 family inet address 10.207.48.5/23
set interfaces irb unit 20 family inet address 10.207.22.5/24 vrrp-group 20 virtual-address 10.207.22.1
set interfaces irb unit 20 family inet address 10.207.22.5/24 vrrp-group 20 priority 100
set interfaces irb unit 20 family inet address 10.207.22.5/24 vrrp-group 20 accept-data
set interfaces irb unit 20 family inet address 10.207.22.5/24 vrrp-group 20 track interface irb.20 priority-cost 100
set interfaces irb unit 21 family inet address 10.207.24.5/21
set routing-options static route 0.0.0.0/0 next-hop 10.207.22.5
set protocols l2-learning global-mode switching
set access address-assignment pool p1 family inet network 10.207.22.0/24
set access address-assignment pool p1 family inet range r1 low 10.207.22.126
set access address-assignment pool p1 family inet range r1 high 10.207.22.150
set access address-assignment pool p1 family inet dhcp-attributes maximum-lease-time 2419200
set access address-assignment pool p1 family inet dhcp-attributes name-server 10.207.22.1
set access address-assignment pool p1 family inet dhcp-attributes router 10.207.22.1
set vlans Corp vlan-id 30
set vlans Corp l3-interface irb.30
set vlans DFR vlan-id 14
set vlans DFR l3-interface irb.14
set vlans Engineering vlan-id 21
set vlans Engineering l3-interface irb.21
set vlans GeneralDeviceManagement vlan-id 9
set vlans GeneralDeviceManagement l3-interface irb.9
set vlans Ion vlan-id 13
set vlans Ion l3-interface irb.13
set vlans Maintenance vlan-id 20
set vlans Maintenance l3-interface irb.20
set vlans NetworkManagement vlan-id 10
set vlans NetworkManagement l3-interface irb.10
set vlans Phones vlan-id 31
set vlans Phones l3-interface irb.31
set vlans VHF vlan-id 16
set vlans VHF l3-interface irb.16
set vlans Video vlan-id 32
set vlans Video l3-interface irb.32