Switching on Juniper SRX series

On the Juniper Secure Router series SRX, the X stands for switching. And there is a very good switching feature set implemented on the SRX. It has all the features you need like normal VLAN switching and separation, 802.1Q trunking and RVIs so that a VLAN on the SRX can act like a layer 3 switched VLAN on Junipers EX series. So how could it look like? (Following example is tested with JUNOS 11.x and 12.x)

First of all a VLAN needs to be created and have a vlan-id:
set vlans vlan-trust vlan-id 142

Then it needs members:
set interfaces fe-0/0/6.0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5.0 family ethernet-switching vlan members vlan-trust

The mode of the ports needs to be set, in this case it is normal untagged access ports:
set interfaces fe-0/0/6.0 family ethernet-switching vlan port-mode access
set interfaces fe-0/0/5.0 family ethernet-switching vlan port-mode access

Since building a VLAN for the trust zone, the routing is going to be handled by an RVI which needs to be created and assigned to the VLAN:
set interfaces vlan unit 142 family inet address 192.168.142.254/24
set vlans vlan-trust l3-interface vlan.142

Dont forget to assign the RVI to the correct security zone so that firewalling etc will operate as intended:
set security zones security-zone trust interface vlan.142

To make a useful example for trunking VLANs, another VLAN is created:
set vlans vlan-lab vlan-id 131
set interfaces fe-0/0/3.0 family ethernet-switching vlan members vlan-lab
set interfaces fe-0/0/4.0 family ethernet-switching vlan members vlan-lab
set interfaces fe-0/0/3.0 family ethernet-switching vlan port-mode access
set interfaces fe-0/0/4.0 family ethernet-switching vlan port-mode access
set interfaces vlan unit 131 family inet address 192.168.131.254/24
set vlans vlan-trust l3-interface vlan.131
set security zones security-zone lab interface vlan.131

If a VLAN trunk is needed to trunk VLAN 142 and VLAN 131 out of the switch on the SRX to a switch infrastruce, a trunk port needs to be created and assigned to the VLANs:
set interfaces fe-0/0/2.0 family ethernet-switching vlan port-mode trunk

To demonstrate the capability to meet future needs of trunking other VLANs out of the SRX with no addition of configuration on the trunk port, an assignment of VLAN all will be used:
set interfaces fe-0/0/2.0 family ethernet-switching vlan members all

An access port can also be tagged and not untagged. This can be used when a SRX is connected to a VLAN/zone where only one VLAN exists and we still want to perform routing and security functions on the traffic:
set vlans vlan-dmz vlan-id 200
set interfaces vlan unit 200 family inet address 192.168.200.254/24
set vlans vlan-dmz l3-interface vlan.200
set security zones security-zone dmz interface vlan.200
set interfaces fe-0/0/1.0 family ethernet-switching vlan members vlan-dmz
set interfaces fe-0/0/1.0 family ethernet-switching port-mode tagged-access

Finally we turn interface fe-0/0/0.0 into a normal untrust routing port:
set interface fe-0/0/0.0 family inet address 10.10.10.1/24
set security zone security-zone untrust interface fe-0/0/0.0

Please note that the exampel above does not cover needed firewall rules under security polices and all zone configuration needed under security zone. It just covers VLAN configuration on the SRX. To make a fully functional firewall with VLANs etc, zone and policy configuration needs to be added.


So a configuration summary:
set vlans vlan-trust vlan-id 142
set vlans vlan-trust l3-interface vlan.142
set vlans vlan-lab vlan-id 131
set vlans vlan-trust l3-interface vlan.131
set vlans vlan-dmz vlan-id 200
set vlans vlan-dmz l3-interface vlan.200

set interfaces fe-0/0/6.0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5.0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3.0 family ethernet-switching vlan members vlan-lab
set interfaces fe-0/0/4.0 family ethernet-switching vlan members vlan-lab
set interfaces fe-0/0/2.0 family ethernet-switching vlan members all
set interfaces fe-0/0/1.0 family ethernet-switching vlan members vlan-dmz

set interfaces fe-0/0/6.0 family ethernet-switching vlan port-mode access
set interfaces fe-0/0/5.0 family ethernet-switching vlan port-mode access
set interfaces fe-0/0/3.0 family ethernet-switching vlan port-mode access
set interfaces fe-0/0/4.0 family ethernet-switching vlan port-mode access
set interfaces fe-0/0/2.0 family ethernet-switching vlan port-mode trunk
set interfaces fe-0/0/1.0 family ethernet-switching port-mode tagged-access

set interfaces vlan unit 142 family inet address 192.168.142.254/24
set interfaces vlan unit 131 family inet address 192.168.131.254/24
set interfaces vlan unit 200 family inet address 192.168.200.254/24
set interface fe-0/0/0.0 family inet address 10.10.10.1/24

set security zones security-zone trust interface vlan.142
set security zones security-zone lab interface vlan.131
set security zones security-zone dmz interface vlan.200
set security zone security-zone untrust interface fe-0/0/0.0

Happy S, R & X-ing!

This entry was posted in Juniper Networking, Juniper Security, Networking, Security. Bookmark the permalink.

Leave a Reply