Vlan-Rewrite on SRX

Vlan Rewrite on any box is always a fascinating concept. You have tagged packets coming with a specific vlan and once they come in they are changed to some-other vlan for egress and vice-versa.


The above kb will give you an idea on how vlan-rewrite is configured for a sample scenario in srx, I made some enhancements as in adding a  new irb interface on SRX and having a trunk-port with a sub-interface.



Configuration is very straight forward

-> identify which vlan needs to be manipulated

-> Identify the ingress interface

-> Make sure your vlan-id-list does not include the vlan which needs to be converted to – Yes it is ‘Does Not’


Here, Vlan 100 is not in the vlan-id-list of Trunk interface ge-0/0/8 which is the ingress point, it might be a misconception from many people to allow all the vlans which are configured on the interface, but the point which needs to be understood here is that , it is already being re-written to another vlan which interface has allowed, so we need not allow it again in interface vlan-id-list


A policy needs to be written with layer-2 interfaces in place, unlike routed-mode firewall where we include Layer-3 interfaces, Transparent mode firewall needs layer-2 interfaces in Zones, i initially tried configuring irb interfaces in zones to understand that irb interfaces can never go into a security zone.


Rakesh M

Quick Series 17 – SRX CHASSIS CLUSTER – SWFAB LINK ? Layer-2 SVI suppot in Cluster

Previous posts i have covered on labbing up SRX clustering and various topics on RETH interfaces. This post is mainly concentrated on building cluster if you happen to have a Layer-2 switching interface in your firewall and should have to route it to other cluster-node or even may if you have to switch the traffic instead of routing

Requirement : Make sure Server in vlan-15 defined on SRX should be able to communicate to VLAN-14 on SRX while both vlans are defined on the same cluster.



Now, let us first see what interfaces do we have on SRX and what vlans are defined


Next we define fab0/fab1 interfaces and for switching we have to define something called swfab0 and swfab1 interfaces as well


Lets see some cluster related outputs, remember we have to use ethernet-switching knob inorder to see ethernet-swtiching cluster related parameters


Verifying Ping from the configuration, looks fine!


When initiated with switching traffic, we actually see that swfab interfaces are used for inter-vlan communication



Rakesh M

