Vlan-Rewrite on SRX

No Comments

Hi,

Vlan Rewrite on any box is always a fascinating concept. You have tagged packets coming with a specific vlan and once they come in they are changed to some-other vlan for egress and vice-versa.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB23737

The above kb will give you an idea on how vlan-rewrite is configured for a sample scenario in srx, I made some enhancements as in adding a  new irb interface on SRX and having a trunk-port with a sub-interface.

Topology

topology_1

Configuration is very straight forward

-> identify which vlan needs to be manipulated

-> Identify the ingress interface

-> Make sure your vlan-id-list does not include the vlan which needs to be converted to – Yes it is ‘Does Not’

2_bridge_domains

Here, Vlan 100 is not in the vlan-id-list of Trunk interface ge-0/0/8 which is the ingress point, it might be a misconception from many people to allow all the vlans which are configured on the interface, but the point which needs to be understood here is that , it is already being re-written to another vlan which interface has allowed, so we need not allow it again in interface vlan-id-list

3_ping_test

A policy needs to be written with layer-2 interfaces in place, unlike routed-mode firewall where we include Layer-3 interfaces, Transparent mode firewall needs layer-2 interfaces in Zones, i initially tried configuring irb interfaces in zones to understand that irb interfaces can never go into a security zone.

Regards

Rakesh M

Quick Series 17 – SRX CHASSIS CLUSTER – SWFAB LINK ? Layer-2 SVI suppot in Cluster

No Comments

Hi,

Previous posts i have covered on labbing up SRX clustering and various topics on RETH interfaces. This post is mainly concentrated on building cluster if you happen to have a Layer-2 switching interface in your firewall and should have to route it to other cluster-node or even may if you have to switch the traffic instead of routing

Requirement : Make sure Server in vlan-15 defined on SRX should be able to communicate to VLAN-14 on SRX while both vlans are defined on the same cluster.

Topology

topology

Now, let us first see what interfaces do we have on SRX and what vlans are defined

1_vlans_securityzones

Next we define fab0/fab1 interfaces and for switching we have to define something called swfab0 and swfab1 interfaces as well

2_fab_swfab_interfaces

Lets see some cluster related outputs, remember we have to use ethernet-switching knob inorder to see ethernet-swtiching cluster related parameters

4_srx__ethestchng_outputs
3_srx_outputs

Verifying Ping from the configuration, looks fine!

5_sw1_ping_output

When initiated with switching traffic, we actually see that swfab interfaces are used for inter-vlan communication

6_final_output

Regards

Rakesh M

Close Bitnami banner
Bitnami