[j-nsp] SRX for MPLS

Phil Mayers p.mayers at imperial.ac.uk
Fri Oct 29 10:54:22 EDT 2010


On 22/10/10 04:39, Barny Sanchez wrote:
> High-end SRXs (SRX3000s and SRX5000s) do not support packet-based
> only processing.
>
> Branch SRX (SRX100s, SRX200s, SRX650s) support either packet-based
> only, flow-based only or mixed mode (selective packet services).
> Please refer to the following app note for some great examples:
> https://www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf

That is a very interesting document.

I spent a bit of time trying this today, but failed; I think the 
lt-x/x/x are not available/usable for this under the J-series platforms 
(JunOS 10.1) correct? Shame..

Do you know if it's possible on the SRX do the MPLS -> flow stuff with 
no physical interfaces; for example:

ge-0/0/0.0 = mpls interface
lt-0/0/0.100 = vrf interface, packet mode

lt-0/0/0.101 = virtual-router FIREWALL, flow mode, "Trust" zone
lt-0/0/0.200 = virtual-router FIREWALL, flow mode, "Untrust" zone

lt-0/0/0.201 = virtual-router OUTSIDE, packet mode
ge-0/0/1.0   = virtual-router OUTSIDE, packet mode

...i.e. traffic flows:

  1. Labelled into ge-0/0/0.0
  2. Label popped, packet-mode into lt.100
  3. Into virtual router, lt.101 -> lt.200
  4. Security policies applied
  5. Egress from lt.201 -> ge-0/0/1.0

...and vice versa?

This would enable an SRX to be an MPLS one-armed firewall with only two 
real/physical interfaces, and would be something we'd probably pay money 
for!


More information about the juniper-nsp mailing list