SRX Services Gateway
Highlighted
SRX Services Gateway

FBR - PBR - SRX - Outbound L3 inbound L2 Flow and IRB interfaces

3 weeks ago

Hi everyone!

 

I' ve a question:

 

Topology:

 

untrust interface trunk
           SRX
trust interfaces irb (local vlans)

 

I need the external traffic to pass to the internal vlans of the irb interfaces transparently L2 (as if the srx did not exist) but the that the traffic from the trust side to untrust would exit through L3.

 

Would it be possible to do this by configuring FBR based on source ?.

Would communication between the irb interfaces affect the creation of the routing instance ?.

 

What do you think?


Thank you!

8 REPLIES 8
Highlighted
SRX Services Gateway

Re: FBR - PBR - SRX - Outbound L3 inbound L2 Flow and IRB interfaces

3 weeks ago

Hello Chaimae,


I need the external traffic to pass to the internal vlans of the irb interfaces transparently L2 (as if the srx did not exist) - I guess the following document is similar to your requirement in terms of transparent mode - https://kb.juniper.net/InfoCenter/index?page=content&id=KB31147&actp=METADATA


The traffic from the trust side to untrust would exit through L3. Would it be possible to do this by configuring FBR based on source ?. - If you have single untrust interface then we don't need FBF. We can control the traffic with security policies itself. FBF is used if you have 2 untrust interfaces and few sources has to be routed to one and the rest to another.


Please make sure to check the limitations of transparent mode in SRX series devices - https://www.juniper.net/documentation/en_US/junos/topics/topic-map/layer-2-understanding.html#id-eth...

 

 



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: FBR - PBR - SRX - Outbound L3 inbound L2 Flow and IRB interfaces

3 weeks ago

Hello Noobmaster!

 

Thank you so much for your answer.

 

Sorry for the delay. The problem is that I don't need all the traffic on L2 (transparent) but part of the traffic (the outgoing) on L3 and the traffic that enters the FW and goes to the internal VLANS passes on L2.

 

I only have a trunk interface between the FW and the Router ..

 

I don't see how to do it by setting the global-mode to transparent.

 

I don't know if it will be possible to achieve this? Do you see any possibility ?.


Thank you!

Highlighted
SRX Services Gateway

Re: FBR - PBR - SRX - Outbound L3 inbound L2 Flow and IRB interfaces

3 weeks ago

Hi Chaimae,

 

No Problem.

 

If you are making SRX as transparent mode it is applied globally. So, you can't segregate certain traffic to be transparent. Besides, as all the physical interfaces will be configured as L2 interfaces, no L3 IP address can be configured on the physical interface.

 

May I ask why you would like to implement Transparent mode?



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: FBR - PBR - SRX - Outbound L3 inbound L2 Flow and IRB interfaces

3 weeks ago

Hi noobmaster!

 

Thank you again!

 

If you are making SRX as transparent mode it is applied globally. So, you can't segregate certain traffic to be transparent. Besides, as all the physical interfaces will be configured as L2 interfaces, not L3 IP address can be configured on the physical interface.

 

But what about irb trunk interface (the external interface)?


Wouldn't this work? wouldn't this decide if to pass trough the traffic in L2 or L3 depending on the datagram header?

 

* Integrated Routing and Bridging (IRB) is a technique that allows a protocol to be bridged as well as routed on the same interface on a router. When a router is configured for IRB, it maintains the existing VLAN header when forwarding the frame between the interfaces. This allows the same VLAN to span a router.

 

May I ask why you would like to implement Transparent mode?
I'm not quite sure, it is the requirement that is needed.

 

Thank you very much!
Best regards

Highlighted
SRX Services Gateway

Re: FBR - PBR - SRX - Outbound L3 inbound L2 Flow and IRB interfaces

3 weeks ago

Hi Chaimae,

 

Is you requirement is to route the traffic from irb.10 or irb.20 towards the external interface(let's say - ge-0/0/1) to the Internet in SRX?

 

If that's the case then I would suggest you to try it because I never did this configuration. But I think it should work. Second, please don't change any modes in SRX, just leave it by default.



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: FBR - PBR - SRX - Outbound L3 inbound L2 Flow and IRB interfaces

3 weeks ago

But what about irb trunk interface (the external interface)?

Yes, this should work. Please try and let me know if you face any issues.



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: Outbound L3 inbound L2 traffic in same physical interface

3 weeks ago

Hi!

 

Thank you! Unfortunately the configuration with irb interfaces did not work for me.

 

The problem is that I have only 1 trunk link between the FW and the Router. This trunk link must carry 3 vlans. There is only one IP for each vlan to be placed on the untrust trunk interface. External traffic must pass to internal vlans transparently. But the traffic that leaves from the inside to the outside must go through L3.

 

vlans 1 = 192.168.1.0/24
vlans 2 = 192.168.2.0/24
vlans 3 = 192.168.3.0/24

 

UNTRUST: ge-0/0/0 - carry 3 vlans on a single link (FW-ROUTER)


unit 1: vlans 1 (192.168.1.0/24)
unit 2: vlans 2 (192.168.2.0/24)
unit 3: vlans 3 (192.168.3.0/24)

 

TRUST:

ge-0/0/1 - vlan1 members
ge-0/0/2 - vlan2 members
ge-0/0/3 - vlan3 members

 

I've seen some similar approaches with vlan-ccc and vlan-vpls combined with vpls-type routing instances, but couldn't get it to work.

 

Has anyone configured something similar? or do you have any idea how this setting can be achieved?

 

Thank you!

Highlighted
SRX Services Gateway

Re: Outbound L3 inbound L2 traffic in same physical interface

[ Edited ]
3 weeks ago

Hi Chaimae,

 

Hope you are doing well.

 

Actually, I'm out of my depth so I shall leave the rest to other community members.

 

Although, I have one last suggestion!!!

 

Is it possible to put all the interfaces in L3 mode with VLAN tagging? Logically thinking, it should work but I'm not sure about the limitations. 

 

Below are the sample configurations:

 

 

TRUST:
set interfaces ge-0/0/1 unit 0 family inet address 192.168.10.1/24
set interfaces ge-0/0/1 unit 0 vlan-id 10
set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/2 unit 0 family inet address 192.168.20.1/24
set interfaces ge-0/0/2 unit 0 vlan-id 20
set interfaces ge-0/0/2 vlan-tagging
set interfaces ge-0/0/3 unit 0 family inet address 192.168.30.1/24
set interfaces ge-0/0/3 unit 0 vlan-id 30
set interfaces ge-0/0/3 vlan-tagging

UNTRUST:
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24
set interfaces ge-0/0/0 unit 0 vlan-id 10
set interfaces ge-0/0/0 unit 0 family inet address 192.168.2.1/24
set interfaces ge-0/0/0 unit 0 vlan-id 20
set interfaces ge-0/0/0 unit 0 family inet address 192.168.3.1/24
set interfaces ge-0/0/0 unit 0 vlan-id 30
set interfaces ge-0/0/0 vlan-tagging

 

 

Please correct me if I'm wrong.



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Feedback