SRX Services Gateway
SRX Services Gateway

SRX1500 Using DHCP Services for multiple VLAN along with all other functionality

‎12-31-2017 10:16 PM

Hi Guys,

 

Can someone please guide me regarding the following scenario.

I have been asked to use the SRX1500 for DHCP services for multiple vlans. When doing so I have to make a trunk connection to pass vlan tagged packets between the core switch and firewall. This results the firewall to use L2 interface and hence move to Transparent  mode.

 

Upon inspection the following page:

https://www.juniper.net/documentation/en_US/junos/topics/concept/security-mixed-mode-understanding.h...

 

It is evident from:

Table 2: Security Features Supported in Mixed Mode (Transparent and Route Mode)

Mode Type

Supported

Not Supported

Mixed mode

  • Application Layer Gateways (ALGs)
  • Firewall User Authentication (FWAUTH)
  • Intrusion Detection and Prevention (IDP)
  • Screen
  • AppSecure
  • Unified Threat Management (UTM)

Route mode (Layer 3 interface)

  • Network Address Translation (NAT)
  • VPN

Transparent mode (Layer 2 interface)

 
  • Network Address Translation (NAT)
  • VPN
  • Unified Threat Management (UTM)

 

That Route mode is optimal mode for using all SRX features such as NAT , VPN and UTM.

 

Therefore is it okay to conclude that the DHCP services for multiple VLANs cannot be deployed on srx if route mode is preferred mode.

 

Your prompt feedback is much appretiated.

 

Regards,

 

Mannan

System Engineer

JNICIS-SP,SEC , Ingenious Champion Service Provider.

3 REPLIES 3
SRX Services Gateway

Re: SRX1500 Using DHCP Services for multiple VLAN along with all other functionality

‎01-01-2018 11:07 PM

hello Mannan,

 

   My take on this is to configure vlan tagging on one of the ports on SRX 1500 with your corresponding vlans configured on your core switch (trunk) . This port will be your trunk port downward to your core switch ;

 

    ex: on srx 1500, lets say module is on slot 3.

 

             set interface ge-3/0/0 vlan-tagging

             set interface ge-3/0/0.100 vlan-id 100

            set interface ge-3/0/0.100 family inet address 10.10.10.100/23

 

   >you can enable dhcp on this vlan 100 interface ge-3/0/0.100

  >make sure dhcp service is enabled on the subinterface (host-inbound services)

  >make sure your core switch has dhcp-helper or options enabled.

 

my two 2 cent$.

 

d

 

SRX Services Gateway

Re: SRX1500 Using DHCP Services for multiple VLAN along with all other functionality

‎01-01-2018 11:28 PM
Hi,




I will have a go at this scenario,  but enabling this vlan tagging may force the firewall to transport mode.




Regards,




Mannan




Sent from Outlook for Android
SRX Services Gateway

Re: SRX1500 Using DHCP Services for multiple VLAN along with all other functionality

‎01-02-2018 02:51 AM

You can run in mixed mode with both layer 2 interfaces and layer 3 interfaces on the same device using family ethernet-switching.  

 

As long as you don't set the interfaces to family bridge and reboot you won't enter transparent mode.

 

But I am not sure if dhcp server settings require a layer 3 interface in the subnet or not.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home