10-02-2017 09:48 AM - edited 03-08-2019 12:14 PM
Hi all
We have a link from our switch to a Juniper SRX firewall configured as a promiscuous port. Over this link we configure a primary PVLAN. Connected to the switch we also have a bunch of servers all in the same isolated PVLAN which is mapped to the primary. In this situation how is ARP handled when one server needs to communicate with another? An intra-zone rule on the SRX? Proxy ARP maybe?
Thank you.
10-02-2017 04:01 PM
Hi,
Not sure why you have the servers in a private vlan but if the gateway for the servers is on the firewall, you don't need any intra-zone policy. If they are in the same zone, it should work fine. You need policy between zones.
HTH
10-07-2017 02:10 AM
Thank you Reza
Apologies for the delay. We're bound by the clients processes to use PVLANS. We've decided to split some of the servers into separate VLANs/subnets which means we just simply need to create an inter-zone policy on the firewall.
10-07-2017 04:22 PM
We have a similar situation to yours. Placing the servers into a COMMUNITY PVLAN negates the need for servers to traverse any links as they can communicate with each other.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide