I follow you now. Thanks.
So I'm looking at the syntax from the Day One guide, and it looks like it assumes you are only passing a single network between SRX/SSG.
In the even that you wanted to advertise numerous subnets/networks, would you add another line of code for each respective vlan interface? I understand summarization is out of scope for this post, so I'm doing the labor intensive way for argument's sake:
Enable OSPF on the SRX and assign the local VLAN interface and the
tunnel interface to OSPF area 0:
set protocols ospf area 0 interface vlan.0
set protocols ospf area 0 interface vlan.10
set protocols ospf area 0 interface vlan.20
set protocols ospf area 0 interface st0.0
Configure vlan.0 to announce OSPF routes: *Except here I would need to add additional vlan interfaces? RVIs?
set protocols ospf area 0 interface vlan.0 passive
set protocols ospf area 0 interface vlan.10 passive
set protocols ospf area 0 interface vlan.20 passive
In most of the environments I work in, it's more common that the RVIs/subnets are defined on L3 switch, for example EX4200, and we have a default route between L3 switch and upstream firewall/SRX. In that sense, no VLANs are defined on the firewall other than native VLAN that exists (untagged).
As an alternative to the above, if I wanted to pass 10 OSPF routes from my L3 Juniper switch up to the SRX, and over to SSG side, would I still need to configured the SRX/SSG the same as the Day One guide? If I were advertising the 10 routes from the L3 Juniper switch on each side of the VPN tunnel? Or would the SRX/SSG drop/not forward the OSPF traffic across the tunnel?
Sorry if I'm confusing you ... definitely not my intentions. Normally this would be a non-issue, because we would have a L2VPN/VPLS (Metro Ethernet) solution ... but this exercise really has me intrigued about capabilities of SRX/SSG with L3 switches in the mix, and forwarding OSPF across tunnel. I have an environment with this exact scenario actually.
