SRX Services Gateway
Highlighted
SRX Services Gateway

irb with multile vlan-id (vlan-id-list not supported) traffic between vlans

3 weeks ago

Hi!

I have a question:

 

NETWORK        VLAN-ID

VLAN 1              10/20
VLAN 2              30

 

I have these 2 vlans: 1 and 2

Vlan 1 has two IDs: 10 and 20

 

I need VLAN1 devices to communicate inter-fw with VLAN2.

 

For this I wanted to use IRB interfaces:

 

set vlans VLAN1 vlan-id-list 10
set vlans VLAN1 vlan-id-list 20
set vlans VLAN1 l3-interface irb.1

 

The problem is that irb does not support vlan-id-list: l3-interface can be configured only under vlans with 'vlan-id' / 'vlan-tags'

 

I cannot use irb then..

So in this case how could communication between vlans be achieved when a vlan has more than one ID?

 

Thank you very much!
Regards

 

 

 

 

15 REPLIES 15
Highlighted
SRX Services Gateway

Re: irb with multile vlan-id (vlan-id-list not supported) traffic between vlans

3 weeks ago

Hi Chaimae,

 

If this is your requirement, why don't you create a Layer-3 interfaces with multiple sub-units and include a vlan-id to it? Are you facing any problems with this method?

 

e.g

set interfaces ge-0/0/1 unit 0 family inet address 192.168.100.1/24

set interfaces ge-0/0/1 unit 0 vlan-id 10

set interfaces ge-0/0/1 unit 1 family inet address 192.168.200.1/24

set interfaces ge-0/0/1 unit 1 vlan-id 20

set interfaces ge-0/0/1 vlan-tagging



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: irb with multile vlan-id (vlan-id-list not supported) traffic between vlans

3 weeks ago

Hi Noobmaster!

Thank you so much!

I can indeed do what you mention, but then will there be inter-vlan traffic?

 

I understand that for there to be traffic between vlans within the fw does IRB have to exist?

 

Itsn't that right?

 

* To forward packets between VLANs, you normally need a router that connects the VLANs. However, you can accomplish this forwarding on a switch without using a router by configuring an integrated routing and bridging (IRB) interface.

 

NOTE: If you configure a Layer 3 interface to support IRB in a VLAN, you cannot use the all option for the vlan-id statement.
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/irb-and-bridging.html#id-configur... procedure

 

Thank you very much!
Regards!!

Highlighted
SRX Services Gateway

Re: irb with multile vlan-id (vlan-id-list not supported) traffic between vlans

3 weeks ago

Plus I only have 1 ip for the network:

NETWORK        VLAN-ID

VLAN_1              10/20
VLAN_2              30

 

VLAN1: 192.168.100.1/24

 

That's why I  thought i could benefit from vlan-id-list...

 

It is a complicated challenge ..

Highlighted
SRX Services Gateway

Re: irb with multile vlan-id (vlan-id-list not supported) traffic between vlans

3 weeks ago

Hello Chaime,

 

AFAIK, there are 2 ways to allow VLAN traffic in SRX.

 

  1. Create a VLAN interface and associate it with irb interface.
  2. Create a L3-interface and include VLAN tags in it.

Here I have suggested you step-2. Let's assume your VLAN10 and VLAN20 resides in TRUST zone while the VLAN30 resides in DMZ zone.

 

VLAN10 -> VLAN20 - Configure security policy with from-zone TRUST to-zone TRUST and this way communciation happens from VLAN10 and VLAN20.

 

VLAN10 or VLAN20 -> VLAN30 - Configure security policy with from-zone TRUST to-zone DMZ and this way communication happens from VLAN10/20 towards VLAN30.

 

Please try this method and let me know if you face any issues. Also, I will leave it to other community members to share their ideas.



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: irb with multile vlan-id (vlan-id-list not supported) traffic between vlans

3 weeks ago

Hi Chaime,

 

If that's the case then I need to check further considering your design.



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: irb with multile vlan-id (vlan-id-list not supported) traffic between vlans

3 weeks ago

Thank you very much noobmaster,

 

Indeed, the problem is how to implement it in such a way that they share the same ip :-(.

 

Thank you very much once more


Regards

Highlighted
SRX Services Gateway

Re: irb with multile vlan-id (vlan-id-list not supported) traffic between vlans

3 weeks ago

Actually, I never this kind of setup so, it's quite challenging for me:grinning_face_with_smiling_eyes:

 

Are you connecting a single interface between the SRX and Switch acting as a Trunk?



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: irb with multile vlan-id (vlan-id-list not supported) traffic between vlans

3 weeks ago

Yes, the idea is to have a single interface link connected between them.

 

Something like:

FW: 

 

port 1 FW -> connected to port 1 SW -> carring NETWORK10 (vlan-id 10 & vlan-id 20, ip: 192.168.10.1/24)

port 2 FW -> connected to port 2 SW -> carring NETWORK30 (vlan-id 30,  ip: 192.168.200.1/24)

 

Highlighted
SRX Services Gateway
Solution
Accepted by topic author chaimae
2 weeks ago

Re: irb with multile vlan-id (vlan-id-list not supported) traffic between vlans

[ Edited ]
3 weeks ago

Hi Chaime,

 

I made some research regarding your requirement and unfortunately, you can't have 2 VLANs sharing the same network if you want to achieve Inter-VLAN routing. Also, I checked multiple articles/resources regarding accepting double frames on a single interface in SRX and thought of using flexible-vlan-tagging using vlan-id-range but someone mentioned that it is not working for him.

 

Since you would like to achieve a single connectivity between SRX and Switch, I would recommend to use separate networks for VLAN 10 and VLAN 20. 

 

VLAN 10 - ge-0/0/0.0: 192.168.10.1/24

VLAN 20 - ge-0/0/0.1: 192.168.20.1/24

 

(or)

 

We can also create irb.10 and irb.20 which you would like to perform initially.

 

This way we can have better control over the network in terms of scalability. Please let me know if you are facing any challenges with this setup so that we can work on it.



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: irb with multile vlan-id (vlan-id-list not supported) traffic between vlans

3 weeks ago

Good afternoon noobmaster,

 

Thank you very much for your help again and for the research work you have done.

 

I'm going to go over everything again and try to do it through the irb interfaces (I've tried so many things that I'm a bit confused right now :-))

 

I will write to you again to tell you how it went or if I still have problems.

 

Thank you very much
Regards

Highlighted
SRX Services Gateway

Re: irb with multile vlan-id (vlan-id-list not supported) traffic between vlans

3 weeks ago

I understand Chaimae :grinning_face_with_smiling_eyes: Take your time.

 

Below is the configuration which might need for your SRX.

 

VLAN10: 192.168.10.0/24
VLAN20: 192.168.20.0/24 

Assuming the above VLANs in your network, I have mentioned the below configuration. 

set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members [ 10 20 ]
set interface irb unit 10 family inet address 192.168.10.1/24
set vlans vlan10 vlan-id 10
set vlans vlan10 l3-interface irb.10
set interface irb unit 20 family inet address 192.168.20.1/24
set vlans vlan20 vlan-id 20
set vlans vlan20 l3-interface irb.20 

set security zones security-zone VLAN10 interfaces irb.10 host-inbound-traffic system-services all
set security zones security-zone VLAN10 interfaces irb.10 host-inbound-traffic protocols all
set security zones security-zone VLAN20 interfaces irb.20 host-inbound-traffic system-services all
set security zones security-zone VLAN20 interfaces irb.20 host-inbound-traffic protocols all

set security policies from-zone VLAN10 to-zone VLAN20 policy 10-to-20 match source-address any
set security policies from-zone VLAN10 to-zone VLAN20 policy 10-to-20 match destination-address any
set security policies from-zone VLAN10 to-zone VLAN20 policy 10-to-20 match application any
set security policies from-zone VLAN10 to-zone VLAN20 policy 10-to-20 then permit

set security policies from-zone VLAN20 to-zone VLAN10 policy 20-to-10 match source-address any
set security policies from-zone VLAN20 to-zone VLAN10 policy 20-to-10 match destination-address any
set security policies from-zone VLAN20 to-zone VLAN10 policy 20-to-10 match application any
set security policies from-zone VLAN20 to-zone VLAN10 policy 20-to-10 then permit

 

Please feel free to reach out to me if you have any issues.



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: irb with multile vlan-id (vlan-id-list not supported) traffic between vlans

2 weeks ago

Hello noobmaster,

 

Thank you very much for your help.

 

I couldn't get it to work that way but we have finally changed the requirements to separate in the vlan-id by assigning them different IPs and so it worked with your example setup.

 

Thank you very much again for your help.

Best regards!!

Highlighted
SRX Services Gateway

Re: irb with multile vlan-id (vlan-id-list not supported) traffic between vlans

2 weeks ago

Hi noobmaster,

 

I have another question related to these interfaces:

 

Topology:

 

untrust interface trunk
           SRX
trust interfaces irb

 

 

I need the external traffic to pass to the internal vlans of the irb interfaces transparently L2 (as if the srx did not exist) but the that the traffic from the trust side to untrust would exit through L3.

 

Would it be possible to do this by configuring FBR based on source ?.

Would communication between the irb interfaces affect the creation of the routing instance ?.

 

What do you think?


Thank you!

Highlighted
SRX Services Gateway

Re: irb with multile vlan-id (vlan-id-list not supported) traffic between vlans

2 weeks ago

Hey Chaimae,

 

Glad it all worked out!!!

 

For your query regarding transparent mode, please open a new thread so that we can discuss it over there. Because this thread might help other community members in case if they face a similar issue like yours and discussing a new query will be quite confusing for others.

 

Have a Nice Day :grinning_face:



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: irb with multile vlan-id (vlan-id-list not supported) traffic between vlans

2 weeks ago

Sure! thanks!

Best regards!

Feedback