We have a link from our switch to a Juniper SRX firewall configured as a promiscuous port. Over this link we configure a primary PVLAN. Connected to the switch we also have a bunch of servers all in the same isolated PVLAN which is mapped to the primary. In this situation how is ARP handled when one server needs to communicate with another? An intra-zone rule on the SRX? Proxy ARP maybe?
Not sure why you have the servers in a private vlan but if the gateway for the servers is on the firewall, you don't need any intra-zone policy. If they are in the same zone, it should work fine. You need policy between zones.
Thank you Reza
Apologies for the delay. We're bound by the clients processes to use PVLANS. We've decided to split some of the servers into separate VLANs/subnets which means we just simply need to create an inter-zone policy on the firewall.
We have a similar situation to yours. Placing the servers into a COMMUNITY PVLAN negates the need for servers to traverse any links as they can communicate with each other.