Problem:
Just completed connecting a firewall (SRX 240) to a switch.
The link is supposed to be a trunk carrying multiple VLANs, however, i couldn't ping the Point-to-Point IPs from the switch or the firewall yet the interfaces are UP.
Example Config:
On the Firewall:
set interfaces ge-0/0/13 description my_test_link
set interfaces ge-0/0/13 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members TEST
set interfaces vlan unit 590 description my_test_vlan
set interfaces vlan unit 590 family inet address 10.0.90.5/30
set vlans TEST vlan-id 590
set vlans TEST l3-interface vlan.590
On the switch:
set interfaces ge-0/0/16 description my_test_link
set interfaces ge-0/0/16 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/16 unit 0 family ethernet-switching vlan members 590
set interfaces vlan unit 590 description my_test_vlan
set interfaces vlan unit 590 family inet address 10.0.90.6/30
set vlans TEST vlan-id 590
set vlans TEST l3-interface vlan.590
Normally, this would be enough to bring UP the point-to-point if this were a switch to switch connection. But because the default firewall behavoiur is to block all traffic, trying to ping the firewall interfaces from the switch or vice versa will fail.
solution:
Add this config
set security zones security-zone trust interfaces vlan.590
set security zones security-zone trust interfaces vlan.590 host-inbound-traffic system-services all
set security zones security-zone trust interfaces vlan.590 host-inbound-traffic protocols all
what this additional config does is to put the interface in a security zone and permit inbound traffic to that interface.
No comments:
Post a Comment