Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
838
Views
0
Helpful
3
Replies
Highlighted
Devlin Thornicroft
Beginner
Beginner
‎10-02-2017 09:48 AM
‎10-02-2017 09:48 AM

Private VLANs - Juniper SRX Firewall

Hi all

 

We have a link from our switch to a Juniper SRX firewall configured as a promiscuous port. Over this link we configure a primary PVLAN. Connected to the switch we also have a bunch of servers all in the same isolated PVLAN which is mapped to the primary. In this situation how is ARP handled when one server needs to communicate with another? An intra-zone rule on the SRX? Proxy ARP maybe?

 

Thank you. 

Labels:
0 Helpful
Reply
3 REPLIES 3
Highlighted
Reza Sharifi
Hall of Fame Expert Hall of Fame Expert
Hall of Fame Expert
‎10-02-2017 04:01 PM
‎10-02-2017 04:01 PM

Hi,

Not sure why you have the servers in a private vlan but if the gateway for the servers is on the firewall, you don't need any intra-zone policy.  If they are in the same zone, it should work fine. You need policy between zones.

HTH

0 Helpful
Reply
Highlighted
Devlin Thornicroft
Beginner
Beginner
In response to Reza Sharifi
‎10-07-2017 02:10 AM
‎10-07-2017 02:10 AM

Thank you Reza

 

Apologies for the delay. We're bound by the clients processes to use PVLANS. We've decided to split some of the servers into separate VLANs/subnets which means we just simply need to create an inter-zone policy on the firewall.

 

0 Helpful
Reply
Highlighted
Neil Sheridan
Beginner
Beginner
In response to Devlin Thornicroft
‎10-07-2017 04:22 PM
‎10-07-2017 04:22 PM

We have a similar situation to yours. Placing the servers into a COMMUNITY PVLAN negates the need for servers to traverse any links as they can communicate with each other.

 

 

0 Helpful
Reply
Latest Contents
Community Live Event- ISR1100X-4G and ISR1100X-6G Platform O...
Created by Cisco Moderador on 03-02-2021 05:23 AM
1
0
1
0
Community Live- ISR1100X-4G and ISR1100X-6G Platform Overview and Architecture (Live event -  Tuesday, 23 March, 2021 at 10:00 am Pacific/ 1:00 pm Eastern / 7:00 pm Paris)- This event will have place on Tuesday 23rd, March 2021 at 10:00 hrs PDT&... view more
Cisco Secure Network Access Bridges the Gap
Created by Kelli Glass on 02-26-2021 04:19 PM
0
0
0
0
Cisco Secure Network Access is helping IT to bridge the gap between what is essential to the business and what the network delivers and to build the next-generation campus network for an unplugged and uninterrupted experience. Learn more about how these w... view more
Community Live Video - New Additions to the Catalyst 8000 Fa...
Created by Cisco Moderador on 02-24-2021 08:49 AM
0
0
0
0
(view in My Videos) Community Live- New Additions to the Catalyst 8000 Family (Live event -  Tuesday, 23 February, 2021 at 10:00 am Pacific/ 1:00 pm Eastern / 7:00 pm Paris)- This event had place on Tuesday 23rd, February 2021 at 10:00 hrs PDT... view more
New Additions to the Catalyst 8000 Family- FAQ
Created by Cisco Moderador on 02-24-2021 07:23 AM
0
0
0
0
Community Live-ISR1100X-4G and ISR1100X-6G Platform Overview and Architecture This event had place on Tuesday 23rd, February 2021 at 10hrs PDT  Introduction Designed for an intent-based network, the Cisco Catalyst 8000 Edge Platforms family offers ... view more
New Additions to the Catalyst 8000 Family- AMA Event
Created by Cisco Moderador on 02-22-2021 05:26 AM
0
0
0
0
To participate in this event, please use the  button to ask your questions New Additions to the Catalyst 8000 Family This forum is a chance to clarify all your questions related to the Catalyst 8k Family! Designed for an intent-based network, the Ci... view more
Content for Community-Ad