I am struggling to understand conceptually and put into practice which I should think is a basic function of my SRX router. I have a Juniper SRX-340 cluster running JUNOS 15.1X49-D75.5. I have configured several SRX clusters that support Intenet routing, port forwarding, and IPSEC VPN tunnels but had not had to work with VLANs before.
Also this is the first time I am configuring a router with a DMZ security zone. This configuration (like others I have worked on) has two virtual routers for the two ISP.s I am using rib-groups to import routes to/from the default routing instance to the two ISP routing instances. I know that security zone Trust is in the default routing intance and assume that DMZ2 is. I also have a DMZ1 zone configured without VLANs and that zone can access the Internet.
First, is it even possible for a Juniper SRX to support an interface configured as a trunked VLAN (family ethernet-switching) to also route traffic out to IPSEC tunnels and the Internet? I read articles suggesting that since VLAN is an L2 interface there is no routing that takes place. I also read the only L3 traffic processed on such an interface would be for management traffic to the SRX. It seems basic to me that a PC plugged into a switch whose VLAN tag is one of the VLANs in the trunked SRX interface can reach the Internet etc.
If the answer is YES, then please take a look at the relevant code pieces below and see if I'm doing wrong. If the answer is NO, then how else can I come up with a configuration to support this requirement?
Eric@SRX340A> show configuration interfaces irb | display set
set interfaces irb unit 100 family inet address 10.10.100.1/24
set interfaces irb unit 102 family inet address 10.10.102.1/24
set interfaces irb unit 103 family inet address 10.10.103.1/24
Eric@SRX340A> show configuration vlans | display set
set vlans vlan1 vlan-id 1
set vlans vlan1 l3-interface irb.100
set vlans vlan102 vlan-id 102
set vlans vlan102 l3-interface irb.102
set vlans vlan103 vlan-id 103
set vlans vlan103 l3-interface irb.103
Eric@SRX340A> show configuration interfaces reth4 | display set
set interfaces reth4 description DMZ2
set interfaces reth4 native-vlan-id 1
set interfaces reth4 redundant-ether-options redundancy-group 5
set interfaces reth4 unit 0 family ethernet-switching interface-mode trunk
set interfaces reth4 unit 0 family ethernet-switching vlan members vlan102
set interfaces reth4 unit 0 family ethernet-switching vlan members vlan103
set interfaces reth4 unit 0 family ethernet-switching vlan members vlan1
Eric@SRX340A> show configuration security zones security-zone DMZ2 | display set
set security zones security-zone DMZ2 host-inbound-traffic system-services all
set security zones security-zone DMZ2 interfaces irb.100
set security zones security-zone DMZ2 interfaces irb.102
set security zones security-zone DMZ2 interfaces irb.103
Eric@SRX340A> show security policies from-zone DMZ2 to-zone fiber (fiber is our ISP)
Policy: permit-traffic, State: enabled, Index: 19, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
Eric@SRX340A> show route 0.0.0.0/0 exact terse
inet.0: 24 destinations, 25 routes (23 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
A V Destination P Prf Metric 1 Metric 2 Next hop AS path
* ? 0.0.0.0/0 S 5 >1.2.3.4 (ISP1)
? S 5 10 Table
fiber.inet.0: 23 destinations, 23 routes (23 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
A V Destination P Prf Metric 1 Metric 2 Next hop AS path
* ? 0.0.0.0/0 S 5 >1.2.3.4 (ISP1)
spectrum.inet.0: 14 destinations, 14 routes (14 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
A V Destination P Prf Metric 1 Metric 2 Next hop AS path
* ? 0.0.0.0/0 S 5 >5.6.7.8 (ISP2)