Hi,

This post is on SRX Transparent firewall. By definition, this is used for layer-2 connectivity and by this definition, any connectivity to this firewall will be in ETHERNET-BRIDGE

Requirement – Configure firewall to support Vlan-101 and make sure it spans correctly from SW-1 to SW-2 via firewall and make a layer-3 interface on firewall so that end switches can point other traffic to firewall using this ip as gateway.

Topology

topology

First steps on initial configuration

initial_config_and_junos_clie_output

As we can see, firewall will instruct us to do a reboot.

What if I try to assign an Ip on the firewall physical interface, we see the below error

2_error_on_l3

Bridge domain needs to be configured with appropriate layer-3 ip, but as we can see you cannot call your layer-3 logical irb into security zone, you need to tag you physical interfaces

And as usual, do not forget to write intra-zone policies as the traffic needs to be passed between two different interfaces.

3_zone_policy_config_donot_include_irb

Ping verification from all nodes

4_final_verification

Regards

Rakesh M

Advertisements