Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] After setting up SRX650 Chassis Cluster, how can the last remaining onboard port ge-0/0/3 be used for both LAN and WAN links?



Article ID: KB21145 KB Last Updated: 04 Mar 2017Version: 2.0

This article will address a major issue for many SRX650 HA Chassis Cluster users which is: how do you use the port ge-0/0/3 to route traffic between the LAN and the WAN (between the private and public networks)?


Problem Description:

  • SRX650 base system comes with only 4 onboard ports.
  • After configuring the SRX650 HA Chassis Cluster, ge-0/0/0 is reserved for FXP0 (out of band), ge-0/0/1 for Control Link and one more port (mostly used ge-0/0/2) for Fabric Link.
  • We are just left with the ge-0/0/3 port, which is configured to be a child of the reth0 interface (assuming ge-0/0/3 is made a child of the reth0 interface)

The problem is obvious - "How to make one reth0 port carry more than one network? Only one logical interface (only unit 0) is allowed in the reth0 interface. If we configure more than one unit, the COMMIT reports an error.

However, SRX650 HA Cluster users usually go for another Interface Card for their traffic needs.

However, if the traffic flow is approximated to be not more than 1Gbps, then the better solution to this problem is to go for VLAN-Tagging in the physical interface reth0, and thus allow the reth0 interface to accomodate more than one logical interface for more than one network.

Number of networks that can be configured on a physical interface = Number of units/logical interfaces on that physical interface

Below it is show how it is done.

Important Assumptions for this example solution:

The reth0 interface has been configured already with unit 0 Redundancy group (For information on how to setup SRX650 HA cluster visit,
  • LAN is in VLAN 10
  • WAN is in VLAN 11
  • DMZ is in VLAN 12

Now follow these simple config statements in order:

# delete interfaces reth0 unit 0 ##comment - this will delete the unit 0 because it will no longer be needed.

# set interfaces reth0 vlan-tagging ##comment - this is the key statement

# set interfaces reth0 unit 10 vlan-id 10 family inet address ##comment - logical interface reth0.10 is for LAN

# set interfaces reth0 unit 11 vlan-id 11 family inet address ##comment - logical interface reth0.11 is for WAN

# set interfaces reth0 unit 12 vlan-id 12 family inet address
##comment - logical interface reth0.12 is for DMZ

Delete the reth0.0 interface from the security zones /and from all the other places in the config file because it is no longer defined.

After that, commit the configuration.

  • We do not need to worry about routing as these interfaces will generate interface routes for the networks to talk to each other.
  • Add these interfaces to the respective security zones.
  • Make security policies among the zones for inter-network traffic.
Objective acheived.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search