Hi,

Vlan Rewrite on any box is always a fascinating concept. You have tagged packets coming with a specific vlan and once they come in they are changed to some-other vlan for egress and vice-versa.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB23737

The above kb will give you an idea on how vlan-rewrite is configured for a sample scenario in srx, I made some enhancements as in adding a  new irb interface on SRX and having a trunk-port with a sub-interface.

Topology

topology_1

Configuration is very straight forward

-> identify which vlan needs to be manipulated

-> Identify the ingress interface

-> Make sure your vlan-id-list does not include the vlan which needs to be converted to – Yes it is ‘Does Not’

2_bridge_domains

Here, Vlan 100 is not in the vlan-id-list of Trunk interface ge-0/0/8 which is the ingress point, it might be a misconception from many people to allow all the vlans which are configured on the interface, but the point which needs to be understood here is that , it is already being re-written to another vlan which interface has allowed, so we need not allow it again in interface vlan-id-list

3_ping_test

A policy needs to be written with layer-2 interfaces in place, unlike routed-mode firewall where we include Layer-3 interfaces, Transparent mode firewall needs layer-2 interfaces in Zones, i initially tried configuring irb interfaces in zones to understand that irb interfaces can never go into a security zone.

Regards

Rakesh M

Advertisements