SRX Services Gateway
SRX Services Gateway

SRX firewall as router

‎05-24-2013 06:24 AM

Hi Experts

 

I have srx100,240 and 3400 which I want to use for JNCIE-SP preparation.

I would like to ask how much things I can practice on these firewalls for JNCIE-SP?

 

Secondly I want these firewalls to work purely as a router. How can I do that?

I heard if we disable flow control it will act as a router. Is it true and how can I achieve it?

 

I connected my laptop simply with srx and use same subnet IP and I was not able to ping interfaces unless and until I enable the host in bound services for that interface,

When this firewall behave as a router purely will I be needing these sort of things or not?

 

Thanks and Regards

Ahmed

Ahmed Sharif
9 REPLIES 9
SRX Services Gateway

Re: SRX firewall as router

‎05-24-2013 07:42 AM

Hello,

 

1/ JNCIE-SP exam curriculum

http://www.juniper.net/us/en/training/certification/service_provider_track.html#jnciesp 

 

The 8-hour format of this exam requires that candidates build a service provider network consisting of multiple MX series routers. Successful candidates will perform system configuration on all devices, implement various protocols, policies and VPNs, HA capabilities, and Class of Services.

Exam topics MAY include: Device Infrastructure IGP MPLS BGP VPNs Multicast CoS

 You should be able to use SRX to learn all of the above topics but You won't be able to recreate ALL and ANY scenario which is supported on MX-series. Exceptions include:

- Graceful Routing Engine Switchover (GRES) - requires 2 Routing Engines

- Nonstop Routing - ditto

- Nonstop Bridging - ditto

- some advanced 802.1Q tag manipulation techniques

- BRAS/BNG

 

2/ To put SRX into packet-mode, use

 

delete security
set security forwarding-options family mpls mode packet-based
set security forwarding-options family iso mode packet-based
set security forwarding-options family inet6 mode packet-based

 

You may need to reboot Your SRX device after that.

 

HTH

Thanks

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
SRX Services Gateway

Re: SRX firewall as router

‎06-11-2013 12:54 PM

Hello Alex

 

Thanks for the reply. I have both high end (SRX3400) and low end (SRX 210, SRX 100) firewalls.

I have tried the procedure on high end for now and I am receiving some warnings in configurations as below.

The question is that is it ok to see these messages after executing the commands you mentioned? and the firewall has been turned as a router now?

 

I have to try on low end firewalls as well. Will do once I get some info on the mentioned warnings from you.

 

security {
forwarding-options {
family {
inet6 {
mode packet-based;
}
##
## Warning: configuration block ignored: unsupported platform (srx3400)
##
mpls {
mode packet-based;
}
##
## Warning: configuration block ignored: unsupported platform (srx3400)
##
iso {
mode packet-based;
}
}
}
}

 

Thanks and Regards

Ahmed

Ahmed Sharif
SRX Services Gateway
Solution
Accepted by topic author ahmedsharif
‎08-26-2015 01:27 AM

Re: SRX firewall as router

‎06-12-2013 03:43 AM

I do not think you can disable flow mode on the Data centre SRX, hence the error in committing that configuration. They are designed as pure firewall while the branch office devices are designed for the multipurpose of routing switching and security. Which means they should change the names to SX for the highend devices then.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
SRX Services Gateway

Re: SRX firewall as router

‎06-17-2013 05:02 AM

Totally agree with you , you can use packet mode only with branch office SRXs....


if this worked for you, kindly help other visitors/members of our community by tagging this post as "Accepted Solution".
Kudos are good way of appreciation.
-------------
Red1
JNCIE-SEC #158, JNCIP-SP, JNCIS- ( FWV, SA, AC )

SRX Services Gateway

Re: SRX firewall as router

‎06-17-2013 06:03 AM

Hello,

Please check out the "Feature Support Rererence" in SRX documentation section.

The warnings You are getting are correct: packet-based processing and selective stateless packet-based services are NOT supported on High-End SRX (SRX1K, SRX3K and SRX5K)

https://www.juniper.net/techpubs/en_US/junos12.1x44/topics/reference/general/security-feature-flow-b... 

HTH

Thanks
Alex

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
SRX Services Gateway

Re: SRX firewall as router

‎08-05-2013 04:58 AM

Hello Lyndidon

 

Thanks for your reply and to other experts also.

What I understood from you is that I cant use SRX3400 as a router? Is it true?

 

Regards

Ahmed Sharif
SRX Services Gateway

Re: SRX firewall as router

[ Edited ]
‎08-05-2013 10:57 AM

You can get further understanding by clicking on these links and examining the details very carefully. The comments are generally good, but better understanding is normally contained in the links provided.


https://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/security-packet-based-processing-...
https://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/security-selective-stateless-pack...

 

The SRX will still be routing traffic, unless you configure it in transparent mode, in which case it will be acting as a switch but with some of the security features of a firewall. The modes simply tell the router/firewall/srx how to process the packets. It is still rotuing packets. Remember the flow module?

 

Packet mode- process each packet individually without the use of the session table; does not matter if it is from the same SA, SP, going to the same DA, DP and using the same protocol. The packets still have to routed, because the device is acting as a Layer 3 device. Only stateless FF can be applied. With the branch series device, you can decouple the security processing of the "packets" by bypassing the flow module. 

Flow  mode- group the packets together and treat them as a flow if the SA, DA, SP, DP and protocol are the same by using the session table. With the Data  Centre series, you cannot decouple the security processing of the "packets" bypassing the flow module.

 

Now, exactly which statement gave you this impression "What I understood from you is that I cant use SRX3400 as a router? Is it true?"

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
SRX Services Gateway

Re: SRX firewall as router

‎08-07-2013 08:12 AM

@ahmedsharif wrote:

Hello Lyndidon

 

Thanks for your reply and to other experts also.

What I understood from you is that I cant use SRX3400 as a router? Is it true?

 

Regards


You can use it to do plenty of routing, just some things are not available that require packet mode.

SRX Services Gateway

Re: SRX firewall as router

2 weeks ago

Great tip my friend.

It was like a magic for me, working fine.

Thank you!