[j-nsp] SRX for MPLS
Phil Mayers
p.mayers at imperial.ac.uk
Fri Oct 29 10:54:22 EDT 2010
On 22/10/10 04:39, Barny Sanchez wrote:
> High-end SRXs (SRX3000s and SRX5000s) do not support packet-based
> only processing.
>
> Branch SRX (SRX100s, SRX200s, SRX650s) support either packet-based
> only, flow-based only or mixed mode (selective packet services).
> Please refer to the following app note for some great examples:
> https://www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf
That is a very interesting document.
I spent a bit of time trying this today, but failed; I think the
lt-x/x/x are not available/usable for this under the J-series platforms
(JunOS 10.1) correct? Shame..
Do you know if it's possible on the SRX do the MPLS -> flow stuff with
no physical interfaces; for example:
ge-0/0/0.0 = mpls interface
lt-0/0/0.100 = vrf interface, packet mode
lt-0/0/0.101 = virtual-router FIREWALL, flow mode, "Trust" zone
lt-0/0/0.200 = virtual-router FIREWALL, flow mode, "Untrust" zone
lt-0/0/0.201 = virtual-router OUTSIDE, packet mode
ge-0/0/1.0 = virtual-router OUTSIDE, packet mode
...i.e. traffic flows:
1. Labelled into ge-0/0/0.0
2. Label popped, packet-mode into lt.100
3. Into virtual router, lt.101 -> lt.200
4. Security policies applied
5. Egress from lt.201 -> ge-0/0/1.0
...and vice versa?
This would enable an SRX to be an MPLS one-armed firewall with only two
real/physical interfaces, and would be something we'd probably pay money
for!
More information about the juniper-nsp
mailing list