SRX

Expand all | Collapse all

SRX210 in band managment in trunk mode

Jump to Best Answer
  • 1.  SRX210 in band managment in trunk mode

    Posted 04-21-2017 06:44
      |   view attached

    Hello all,

     

    I need your help to enable this scenario as attached, using ge0/0 in trunk mode with vlan20 "in band mamagment" and vlan90 "traffic data". Fa2 to LAN. what do i need to config to stablished connection and the rest networks.

     

    ge-0/0/0 {
    enable;
    unit 0 {
    family ethernet-switching {
    port-mode trunk;
    vlan {
    members [ TRAFICO TRAFICO-90 SLOT-1-IPQAM MONITOREO CANALES TRAFICO-130 GESTION-MONITOREO ];
    }
    }
    }
    }

     

    vlans {
    CANALES {
    vlan-id 120;
    l3-interface vlan.120;
    }
    GESTION-MONITOREO {
    vlan-id 100;
    l3-interface vlan.100;
    }
    MONITOREO {
    vlan-id 545;
    l3-interface vlan.545;
    }
    SLOT-1-IPQAM {
    vlan-id 21;
    l3-interface vlan.21;
    }
    TRAFICO {
    vlan-id 20;
    l3-interface vlan.20;
    }
    TRAFICO-130 {
    vlan-id 130;
    l3-interface vlan.130;
    }
    TRAFICO-90 {
    vlan-id 90;
    l3-interface vlan.90;
    }
    vlan-trust {
    vlan-id 10;
    l3-interface vlan.0;
    }
    }

     

    vlan {
    unit 0 {
    family inet {
    address 192.168.100.1/24;
    }
    }
    unit 20 {
    family inet {
    address 172.22.20.20/24;
    }
    }
    unit 21 {
    family inet {
    address 192.168.300.10/24;
    }
    }
    unit 90 {
    family inet {
    address 172.22.16.10/24;
    }
    }
    unit 100 {
    family inet {
    address 192.168.1.1/24;
    }
    }
    unit 120 {
    family inet {
    address 172.22.30.1/24;
    }
    }
    unit 130 {
    family inet {
    address 172.22.26.1/24;
    }
    }
    unit 545 {
    family inet {
    address 172.22.25.1/24;
    }
    }
    }
    }

     

     

    routing-options {
    static {
    route 0.0.0.0/0 next-hop 192.168.200.1;
    }
    }

     

     


    #SRX210inbandmanagment


  • 2.  RE: SRX210 in band managment in trunk mode

     
    Posted 04-22-2017 06:01

    Not sure the exact question here, so forgive me if this is not the right answer.

     

    If you need mgmt protocols to work on your TRAFICO vlan and vlan.20 interface, you need the zone that these are assigned to to permit the protocols under host-inbound-traffic for that zone.

     

    https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/security-edit-system-service-zone-host-inbound-traffic.html



  • 3.  RE: SRX210 in band managment in trunk mode

    Posted 04-24-2017 11:05

    Hello Spuluka,

     

    thank you for your respond.

     

    What i would like to do is to enable mgmt cli over ssh on SRX210 from vlan.20 localip-172.22.20.20/24. i added the security zone but is steal doesn't work. i try to ping and ssh but is not respond. sorry if could'n be clear with the requeriment.

     

    ge-0/0/1 {
    enable;
    unit 0 {
    family ethernet-switching {
    port-mode trunk;
    vlan {
    members [ TRAFICO TRAFICO-90 SLOT-1-IPQAM MONITOREO CANALES TRAFICO-130 GESTION-MONITOREO ];
    }
    }
    }

     

     

    security {
    zones {
    security-zone guest {
    host-inbound-traffic {
    system-services {
    ping;
    all;
    snmp;
    snmp-trap;
    ssh;
    }
    }
    interfaces {
    ge-0/0/1.0 {
    host-inbound-traffic {
    system-services {
    all;
    ssh;
    }
    }
    }
    ge-0/0/0.0 {
    host-inbound-traffic {
    system-services {
    all;
    }
    }
    }

     


    vlan.0 {
    host-inbound-traffic {
    system-services {
    ssh;
    snmp;
    snmp-trap;
    ping;
    }
    }
    }
    }
    }
    }
    }

     

     

    root@SRX-VPN> show route

    inet.0: 16 destinations, 16 routes (16 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    0.0.0.0/0 *[Static/5] 00:00:14
    > to 172.22.20.1 via vlan.20
    172.22.16.0/24 *[Direct/0] 00:00:14
    > via vlan.90
    172.22.16.10/32 *[Local/0] 00:38:47
    Local via vlan.90
    172.22.20.0/24 *[Direct/0] 00:00:14
    > via vlan.20
    172.22.20.20/32 *[Local/0] 00:38:47
    Local via vlan.20
    172.22.25.0/24 *[Direct/0] 00:00:14
    > via vlan.545
    172.22.25.1/32 *[Local/0] 00:38:47
    Local via vlan.545
    172.22.26.0/24 *[Direct/0] 00:00:14
    > via vlan.130
    172.22.26.1/32 *[Local/0] 00:38:47
    Local via vlan.130
    172.22.30.0/24 *[Direct/0] 00:00:14
    > via vlan.120
    172.22.30.1/32 *[Local/0] 00:38:47
    Local via vlan.120
    192.168.1.0/24 *[Direct/0] 00:00:14
    > via vlan.100
    192.168.1.1/32 *[Local/0] 00:38:47
    Local via vlan.100
    192.168.100.1/32 *[Local/0] 00:38:47
    Reject
    192.168.200.0/24 *[Direct/0] 00:00:14
    > via vlan.21
    192.168.200.10/32 *[Local/0] 00:38:47
    Local via vlan.21

     



  • 4.  RE: SRX210 in band managment in trunk mode
    Best Answer

     
    Posted 04-25-2017 03:38

    You will need to add the vlan.20 interface to the security zone not the trunk port.

     

    interfaces {
    ge-0/0/1.0 { ----- remove and replace with vlan.20
    host-inbound-traffic {
    system-services {
    all;
    ssh;
    }