SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  intra zone traffic

    Posted 11-03-2012 06:43

    We have 3 vlans :

     

    Vlan A- 192.168.100.1/24

    Vlan B- 192.168.200.1/24

    VlanC-  192.168.300.1/24

     

    all these three vlans will be under single zone called "INTERNAL".

     

    1. if all are under same zone, will traffic freely flow across from each vlans to other?

    2. If i want to restrict traffic from one ip 192.168.100.11 in VlanA to 192.168.200.21 in VlanB, can i achieve this? considering they are under same zone.

     

    Thanks.



  • 2.  RE: intra zone traffic
    Best Answer

    Posted 11-03-2012 06:59
    Hi,

    1.No , in srx intra-zone traffic is not allowed by default . If you want to allow this, you need a security policy with from-zone INTERNAL to-zone INTERNAL.
    .
    2 . As mentioned above it is denied by default . according tou your requirement , you can write a policy to allow/deny specific traffic . Only thing different here is , both from-zone and to-zone are same .


  • 3.  RE: intra zone traffic

    Posted 11-03-2012 07:13

    Thank You for the reply.

     

    1. so how do i create a policy from same zone internal to the same zone , what do i include in it so all traffic within the same zone is allowed?

     

    2. so it means, i can write specific ip based rules to deny traffic from one vlan to another vlan ip within same zone?

     

     



  • 4.  RE: intra zone traffic

    Posted 11-03-2012 07:50

    Hi,

     

    Configure as below to meet both of your requirements -  please note ordering of policies is also important.

     

    set security zones security-zone INTERNAL address-book address PC1 192.168.100.11
set security zones security-zone INTERNAL address-book address PC2 192.168.200.21

set security policies from-zone INTERNAL to-zone INTERNAL policy restrict-specific match source-address PC1
set security policies from-zone INTERNAL to-zone INTERNAL policy restrict-specific match destination-address PC2
set security policies from-zone INTERNAL to-zone INTERNAL policy restrict-specific match application any
set security policies from-zone INTERNAL to-zone INTERNAL policy restrict-specific then deny

set security policies from-zone INTERNAL to-zone INTERNAL policy allow-all match source-address any
set security policies from-zone INTERNAL to-zone INTERNAL policy allow-all match destination-address any
set security policies from-zone INTERNAL to-zone INTERNAL policy allow-all match application any
set security policies from-zone INTERNAL to-zone INTERNAL policy allow-all then permit