SRX Services Gateway
SRX Services Gateway

Why use IRB on SRX?

‎09-10-2019 01:03 PM

Greetings,

Brand new to SRX land.  I've been a Vyatta admin, and after that a Ubiquiti EdgeOS admin, and now moving into SRX territory, so there are some new concepts to learn.

One question I have is, why use IRB on an SRX device?  Isn't an SRX a router?  If so where would IRB be useful?

Thanks, I'm very inexperienced with JunOS.

~A.V.

8 REPLIES 8
SRX Services Gateway

Re: Why use IRB on SRX?

‎09-10-2019 02:35 PM

Hi A.V.

 

The SRX is a firewall that has routing and switching capabilities and, like in a L3 switch, you could configure vlans and assing a L3 interface to each vlan to act as the "gateway" for users within that vlan. This way the users within a specific vlan could communicate with other subnets.

 

See more information on the following link:

 

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/irb-and-bridging.html

 

It is for switches but if you check the "Platform and Release Support" section you will see the SRX listed there.

 

Hope this helps you. Please mark the post as Resolved if you consider so.

 

SRX Services Gateway

Re: Why use IRB on SRX?

‎09-11-2019 07:48 AM

So, technically speaking, the SRX is not a "router?"

SRX Services Gateway

Re: Why use IRB on SRX?

‎09-11-2019 07:50 AM

In regards to IRB or RVIs, then, in order for them to do routing, whether on a switch or SRX, the hosts on the network need to have their gateways set as the IRB / RVI interface?

SRX Services Gateway

Re: Why use IRB on SRX?

‎09-11-2019 11:38 PM

The SRX is not a router, it is a firewall but as mentioned it has great routing and switching capabilities. You can configure, like in a regular router, static routing, dynamic routing (OSPF, BGP, MPLS. etc), DHCP, etc. There is even an option for turning all security options off and use it like a router (packet-based mode):

 

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-packet-based-forwarding....

 

Highlighted
SRX Services Gateway

Re: Why use IRB on SRX?

‎09-11-2019 11:51 PM

Regarding your second quesiton, it really depends on what you want to implement. If you want the SRX to be the default gateway and you are using vlans and IRBs then yes, your hosts should point the IRB's address when they want to reach other subnets.

 

Likewise you could have the hosts connected to a switch and that switch connected to a regular SRX's interface like ge-0/0/1.0  and have the hosts point to the ge-0/0/1.0's address as their default gateway. However following this approach you could end up wasting physical ports on the SRX while you could be using IRBs (virtual interfaces) instead.

 

Another option is to configure different vlans on the switch where the hosts are connected to and then create a trunk link between the switch and the SRX and use vlan-tagging on the physical interface of the SRX. (This is router-on-a-stick in Cisco world).

 

 

SRX Services Gateway

Re: Why use IRB on SRX?

‎09-12-2019 11:08 AM

So basically, so as to not waste ports on the SRX, I could  make certain ports on the SRX ethernet-switching family with VLAN access type as trunk, then each VLAN assigned an IRB L3 interface (corresponding to the VLAN's subnet), then each IRB assigned to a pertinent security zone.  Our DHCP server would then assign the default gateway as the IRB addresses.

 

Is this the right way to look at it?

SRX Services Gateway

Re: Why use IRB on SRX?

‎09-12-2019 07:38 PM

You might need to connect multiple devices that belong to the same IP subnet (maybe switches) to the SRX and you don't want to change the IP addresses.

 

IRB - SRX.png

 

Now, depending on the Junos version, the type of SRX, and the mode your SRX is configured for (transparent, mixed, or switching mode):

- the irb interface can only be used to connect to the SRX from devices in the vlan, with no routing between irbs (vlans) or between irbs and interfaces that might be configured as L3 interfaces (transparent mode or mixed mode respectively), OR 

- the irb interface can be used to connect to the SRX, and also for intervlan routing or routing between irbs and interfaces that might be configured as L3 interfaces (switching mode).

 

The mode can be checked with: show ethernet-switching global-information, and can be changed with set protocols l2-learning global-mode (switching | transparent-bridge) with proper Junos version.  The default also varies based on the SRX type and Junos version. 

 

Regards,

Yasmin Lara - Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
SRX Services Gateway

Re: Why use IRB on SRX?

‎09-16-2019 07:45 AM

A. Vanson

 

Your understanding is correct. Smiley Happy

 

If you consider this post is Resolved please mark it as such.