SRX

 View Only
last person joined: 19 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  How to load balance on SRX

    Posted 10-11-2017 06:07

     

     

    I am very new to juniper and need some help

     

    I currently have one SRX 550M and 2 EX 2200 switch, below is the diagram, we have 2  ISP connections one is ILL and the other is a Broadband.'

     

    1.How do we loadbalance traffic on SRX with available ISP connections

    2.Currently one of EX2200 swicth is acting as DHCP server but the requirement is to move that from EX2200 to SRX 550, how to achive this I mean remove the DHCP configuration from swicth and add it on SRX.

    3.I also have 2 VLAN's 192.168.28.0/24 and 192.168.24.0/24, I need to saggregate corporate traffic from Guest network (Wifi-Guest SSID) for which I need a separate VLAN i guess or can we  block it with some firewall rules?

     

    Network.png

    SRX Conf:

     

    ## Last commit: 2017-09-20 09:45:37 UTC by root
    version 15.1X49-D30.3;
    system {
    root-authentication {
    encrypted-password "password here"; ## SECRET-DATA
    ssh-rsa "SSH Key here; ## SECRET-DATA
    }
    name-server {
    202.83.21.2;
    202.83.21.12;
    103.8.46.5;
    103.8.44.5;
    192.168.1.46;
    192.168.7.101;
    }
    services {
    ssh;
    xnm-clear-text;
    web-management {
    https {
    system-generated-certificate;
    }
    }
    }
    syslog {
    archive size 100k files 3;
    user * {
    any emergency;
    }
    file messages {
    any critical;
    authorization info;
    }
    file interactive-commands {
    interactive-commands error;
    }
    file policy_session {
    user info;
    match RT_FLOW;
    archive size 1000k world-readable;
    structured-data;
    }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
    autoupdate {
    url https://ae1.juniper.net/junos/key_retrieval;
    }
    }
    }
    services {
    rpm {
    probe Syncron_ISP_Failover_Track {
    test TATA {
    probe-type icmp-ping;
    target address 111.93.155.57;
    probe-count 5;
    probe-interval 3;
    test-interval 5;
    thresholds {
    successive-loss 5;
    total-loss 5;
    }
    destination-interface ge-0/0/0.0;
    }
    test ACT {
    probe-type icmp-ping;
    target address 106.51.64.1;
    probe-count 5;
    probe-interval 3;
    test-interval 5;
    thresholds {
    successive-loss 5;
    total-loss 5;
    }
    destination-interface ge-0/0/1.0;
    }
    }
    }
    }
    security {
    ike {
    proposal AWS-SNHQ-ike-proposal {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 28800;
    }
    policy ike_pol_INBAL1-SNHQ1 {
    mode main;
    proposals AWS-SNHQ-ike-proposal;
    pre-shared-key ascii-text "Key Here"; ## SECRET-DATA
    }
    policy ike_pol_INBAL1-SNHQ2 {
    mode main;
    proposals AWS-SNHQ-ike-proposal;
    pre-shared-key ascii-text "Key Here"; ## SECRET-DATA
    }
    policy ike_pol_INBAL2-SNHQ1 {
    mode main;
    proposals AWS-SNHQ-ike-proposal;
    pre-shared-key ascii-text "Key Here"; ## SECRET-DATA
    }
    policy ike_pol_INBAL2-SNHQ2 {
    mode main;
    proposals AWS-SNHQ-ike-proposal;
    pre-shared-key ascii-text "Key Here"; ## SECRET-DATA
    }
    gateway gw_INBAL1-SNHQ1 {
    ike-policy ike_pol_INBAL1-SNHQ1;
    address 52.48.134.12;
    dead-peer-detection;
    no-nat-traversal;
    external-interface ge-0/0/0.0;
    }
    gateway gw_INBAL1-SNHQ2 {
    ike-policy ike_pol_INBAL1-SNHQ2;
    address 52.48.66.170;
    dead-peer-detection;
    no-nat-traversal;
    external-interface ge-0/0/0.0;
    }
    gateway gw_INBAL2-SNHQ1 {
    ike-policy ike_pol_INBAL2-SNHQ1;
    address 52.48.134.12;
    dead-peer-detection;
    no-nat-traversal;
    external-interface ge-0/0/1.0;
    }
    gateway gw_INBAL2-SNHQ2 {
    ike-policy ike_pol_INBAL2-SNHQ2;
    address 52.48.66.170;
    dead-peer-detection;
    no-nat-traversal;
    external-interface ge-0/0/1.0;
    }
    }
    ipsec {
    proposal AWS-SNHQ-ipsec-proposal {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 3600;
    }
    policy ipsec_pol_INBAL1-SNHQ1 {
    perfect-forward-secrecy {
    keys group2;
    }
    proposals AWS-SNHQ-ipsec-proposal;
    }
    policy ipsec_pol_INBAL1-SNHQ2 {
    perfect-forward-secrecy {
    keys group2;
    }
    proposals AWS-SNHQ-ipsec-proposal;
    }
    policy ipsec_pol_INBAL2-SNHQ1 {
    perfect-forward-secrecy {
    keys group2;
    }
    proposals AWS-SNHQ-ipsec-proposal;
    }
    policy ipsec_pol_INBAL2-SNHQ2 {
    perfect-forward-secrecy {
    keys group2;
    }
    proposals AWS-SNHQ-ipsec-proposal;
    }
    vpn INBAL1-SNHQ1 {
    bind-interface st0.1;
    vpn-monitor;
    ike {
    gateway gw_INBAL1-SNHQ1;
    ipsec-policy ipsec_pol_INBAL1-SNHQ1;
    }
    establish-tunnels immediately;
    }
    vpn INBAL1-SNHQ2 {
    bind-interface st0.2;
    vpn-monitor;
    ike {
    gateway gw_INBAL1-SNHQ2;
    ipsec-policy ipsec_pol_INBAL1-SNHQ2;
    }
    establish-tunnels immediately;
    }
    vpn INBAL2-SNHQ1 {
    bind-interface st0.3;
    vpn-monitor;
    ike {
    gateway gw_INBAL2-SNHQ1;
    ipsec-policy ipsec_pol_INBAL2-SNHQ1;
    }
    establish-tunnels immediately;
    }
    vpn INBAL2-SNHQ2 {
    bind-interface st0.4;
    vpn-monitor;
    ike {
    gateway gw_INBAL2-SNHQ2;
    ipsec-policy ipsec_pol_INBAL2-SNHQ2;
    }
    establish-tunnels immediately;
    }
    }
    alg {
    ike-esp-nat {
    enable;
    }
    }
    flow {
    tcp-mss {
    ipsec-vpn {
    mss 1387;
    }
    }
    }
    screen {
    ids-option untrust-screen {
    icmp {
    ping-death;
    }
    ip {
    source-route-option;
    tear-drop;
    }
    tcp {
    syn-flood {
    alarm-threshold 1024;
    attack-threshold 200;
    source-threshold 1024;
    destination-threshold 2048;
    timeout 20;
    }
    land;
    }
    }
    }
    nat {
    source {
    rule-set trust-to-untrust {
    from zone trust;
    to zone untrust;
    rule source-nat-rule {
    match {
    source-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    }
    }
    policies {
    from-zone trust to-zone untrust {
    policy trust-to-untrust {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone trust to-zone trust {
    policy trust-to-trust {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone vpn-bang1 to-zone vpn-bang1 {
    policy policy_out_INBAL1-SNHQ1 {
    match {
    source-address addr_169_254_1_144_30;
    destination-address addr_52_48_134_8_29;
    application any;
    }
    then {
    permit;
    }
    }
    policy policy_in_INBAL1-SNHQ1 {
    match {
    source-address addr_52_48_134_8_29;
    destination-address addr_169_254_1_144_30;
    application any;
    }
    then {
    permit;
    }
    }
    policy policy_out_INBAL1-SNHQ2 {
    match {
    source-address addr_169_254_1_144_30;
    destination-address addr_52_48_66_168_29;
    application any;
    }
    then {
    permit;
    }
    }
    policy policy_in_INBAL1-SNHQ2 {
    match {
    source-address addr_52_48_66_168_29;
    destination-address addr_169_254_1_144_30;
    application any;
    }
    then {
    permit;
    }
    }
    policy policy_out_INBAL2-SNHQ1 {
    match {
    source-address addr_169_254_1_152_30;
    destination-address addr_52_48_134_8_29;
    application any;
    }
    then {
    permit;
    }
    }
    policy policy_in_INBAL2-SNHQ1 {
    match {
    source-address addr_52_48_134_8_29;
    destination-address addr_169_254_1_152_30;
    application any;
    }
    then {
    permit;
    }
    }
    policy policy_out_INBAL2-SNHQ2 {
    match {
    source-address addr_169_254_1_156_30;
    destination-address addr_52_48_66_168_29;
    application any;
    }
    then {
    permit;
    }
    }
    policy policy_in_INBAL2-SNHQ2 {
    match {
    source-address addr_52_48_66_168_29;
    destination-address addr_169_254_1_156_30;
    application any;
    }
    then {
    permit;
    }
    }
    }
    }
    zones {
    security-zone trust {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    ge-0/0/2.0;
    ge-0/0/4.0;
    st0.1;
    st0.2;
    st0.3;
    st0.4;
    st0.0;
    }
    }
    security-zone untrust {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    ge-0/0/0.0 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    ge-0/0/1.0 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    security-zone vpn-bang1 {
    address-book {
    address addr_169_254_1_144_30 169.254.1.144/30;
    address addr_52_48_134_8_29 52.48.134.8/29;
    address addr_169_254_1_148_30 169.254.1.148/30;
    address addr_52_48_66_168_29 52.48.66.168/29;
    address addr_169_254_1_152_30 169.254.1.152/30;
    address addr_169_254_1_156_30 169.254.1.156/30;
    }
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    interfaces {
    ge-0/0/0 {
    unit 0 {
    description TATA;
    family inet {
    address 111.93.155.58/30;
    }
    }
    }
    ge-0/0/1 {
    unit 0 {
    description ACT;
    family inet {
    address 106.51.65.162/19;
    }
    }
    }
    ge-0/0/2 {
    unit 0 {
    description LAN;
    family inet {
    filter {
    input FILTER;
    }
    address 10.10.10.1/30;
    }
    }
    }
    ge-0/0/4 {
    unit 0 {
    family inet {
    address 10.10.10.5/30;
    }
    }
    }
    st0 {
    unit 0 {
    family inet;
    }
    unit 1 {
    family inet {
    mtu 1436;
    address 169.254.1.146/30;
    }
    }
    unit 2 {
    family inet {
    address 169.254.1.150/30;
    }
    }
    unit 3 {
    family inet {
    address 169.254.1.154/30;
    }
    }
    unit 4 {
    family inet {
    address 169.254.1.158/30;
    }
    }
    }
    }
    snmp {
    description "Juniper Main Router";
    contact "ukesh.upendran@syncron.com";
    view jweb-view-all {
    oid .1 include;
    }
    community public {
    view jweb-view-all;
    authorization read-write;
    }
    }
    routing-options {
    interface-routes {
    rib-group inet IMPORT-PHY;
    }
    static {
    route 0.0.0.0/0 {
    next-hop 111.93.155.57;
    qualified-next-hop 106.51.64.1 {
    preference 100;
    }
    }
    route 192.168.24.0/22 next-hop 10.10.10.2;
    route 192.168.28.0/22 next-hop 10.10.10.2;
    }
    rib-groups {
    IMPORT-PHY {
    export-rib inet.0;
    import-rib [ inet.0 routing-table-ISP1.inet.0 routing-table-ISP2.inet.0 ];
    }
    }
    autonomous-system 65012;
    }
    protocols {
    bgp {
    group AWS-SNHQ-BGP-GROUP {
    type external;
    export export_bgp;
    peer-as 65001;
    neighbor 169.254.1.145 {
    family inet {
    unicast {
    rib-group IMPORT-PHY;
    }
    }
    }
    neighbor 169.254.1.149 {
    family inet {
    unicast {
    rib-group IMPORT-PHY;
    }
    }
    }
    neighbor 169.254.1.153 {
    family inet {
    unicast {
    rib-group IMPORT-PHY;
    }
    }
    }
    neighbor 169.254.1.157 {
    family inet {
    unicast {
    rib-group IMPORT-PHY;
    }
    }
    }
    }
    }
    }
    policy-options {
    policy-statement export-from-bgp {
    term 10 {
    from protocol bgp;
    then accept;
    }
    term 20 {
    then reject;
    }
    }
    policy-statement export_bgp {
    term 10 {
    from {
    protocol static;
    route-filter 192.168.24.0/22 orlonger;
    }
    then accept;
    }
    }
    policy-statement import-from-bgp {
    term 10 {
    from protocol bgp;
    then accept;
    }
    term 20 {
    then reject;
    }
    }
    }
    firewall {
    filter FILTER {
    term Management {
    from {
    source-address {
    192.168.24.0/22;
    }
    }
    then {
    routing-instance routing-table-ISP1;
    }
    }
    term Employee {
    from {
    source-address {
    192.168.28.0/23;
    }
    }
    then {
    routing-instance routing-table-ISP2;
    }
    }
    term Uplink {
    from {
    source-address {
    10.10.10.0/30;
    }
    }
    then accept;
    }
    }
    }
    routing-instances {
    routing-table-ISP1 {
    instance-type forwarding;
    routing-options {
    static {
    route 0.0.0.0/0 {
    next-hop 111.93.155.57;
    qualified-next-hop 106.51.64.1 {
    preference 100;
    }
    }
    }
    }
    }
    routing-table-ISP2 {
    instance-type forwarding;
    routing-options {
    static {
    route 0.0.0.0/0 {
    next-hop 106.51.64.1;
    qualified-next-hop 111.93.155.57 {
    preference 100;
    }
    }
    }
    }
    }
    }
    vlans {
    vlan-trust {
    vlan-id 10;
    l3-interface irb.10;
    }
    vlan-trust1 {
    vlan-id 20;
    l3-interface irb.20;
    }
    }

     

     

    Swicth Conf:

    ## Last commit: 2015-02-25 11:26:39 UTC by root
    version 12.3R9.4;
    system {
    root-authentication {
    encrypted-password "password here"; ## SECRET-DATA
    }
    services {
    ssh;
    web-management {
    https {
    system-generated-certificate;
    }
    }
    dhcp {
    name-server {
    202.83.21.2;
    202.83.21.12;
    103.8.46.5;
    103.8.44.5;
    }
    traceoptions {
    file dhcp_logfile;
    level all;
    flag all;
    }
    pool 192.168.24.0/22 {
    address-range low 192.168.24.50 high 192.168.27.254;
    name-server {
    103.8.46.5;
    103.8.44.5;
    202.83.21.2;
    202.83.21.12;
    }
    router {
    192.168.24.1;
    }
    }
    pool 192.168.28.0/22 {
    address-range low 192.168.28.50 high 192.168.31.254;
    name-server {
    103.8.46.5;
    103.8.44.5;
    202.83.21.2;
    202.83.21.12;
    192.168.225.160;
    192.168.225.100;
    }
    router {
    192.168.28.1;
    }
    }
    }
    }
    syslog {
    user * {
    any emergency;
    }
    file messages {
    any notice;
    authorization info;
    }
    file interactive-commands {
    interactive-commands any;
    }
    }
    }
    chassis {
    auto-image-upgrade;
    }
    interfaces {
    ge-0/0/0 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/1 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/2 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/3 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/4 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/5 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/6 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/7 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/8 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/9 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/10 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/11 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/12 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/13 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/14 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/15 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/16 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/17 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/18 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/19 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/20 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/21 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/22 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/23 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/24 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/25 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/26 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/27 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/28 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/29 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/30 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/31 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/32 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/33 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/34 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/35 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/36 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/37 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/38 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/39 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/40 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/41 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan20;
    }
    }
    }
    }
    ge-0/0/42 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/43 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/44 {
    unit 0 {
    family ethernet-switching {
    port-mode access;
    vlan {
    members vlan10;
    }
    }
    }
    }
    ge-0/0/45 {
    unit 0 {
    family inet {
    address 10.10.10.6/30;
    }
    }
    }
    ge-0/0/46 {
    unit 0 {
    family ethernet-switching {
    port-mode trunk;
    vlan {
    members all;
    }
    }
    }
    }
    ge-0/0/47 {
    unit 0 {
    family inet {
    address 10.10.10.2/30;
    }
    }
    }
    ge-0/1/0 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/1/1 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/1/2 {
    unit 0 {
    family ethernet-switching;
    }
    }
    ge-0/1/3 {
    unit 0 {
    family ethernet-switching;
    }
    }
    me0 {
    unit 0 {
    family inet {
    dhcp {
    vendor-id Juniper-ex2200-48t-4g;
    }
    }
    }
    }
    vlan {
    unit 10 {
    family inet {
    address 192.168.24.1/22;
    }
    }
    unit 20 {
    family inet {
    address 192.168.28.1/22;
    }
    }
    }
    vme {
    unit 0 {
    family inet {
    address 192.168.1.1/24;
    }
    }
    }
    }
    snmp {
    description "Router 1";
    contact "ukesh upendran";
    view jweb-view-all {
    oid .1 include;
    }
    community public {
    view jweb-view-all;
    authorization read-write;
    }
    health-monitor {
    interval 300;
    rising-threshold 80;
    falling-threshold 70;
    }
    }
    routing-options {
    static {
    route 0.0.0.0/0 next-hop 10.10.10.1;
    route 192.168.24.0/22 next-hop 10.10.10.1;
    route 192.168.28.0/22 next-hop 10.10.10.1;
    route 10.10.10.0/30 next-hop 10.10.10.1;
    }
    }
    protocols {
    igmp-snooping {
    vlan all;
    }
    rstp;
    lldp {
    interface all;
    }
    lldp-med {
    interface all;
    }
    }
    ethernet-switching-options {
    voip;
    storm-control {
    interface all;
    }
    }
    vlans {
    default;
    vlan10 {
    description Management;
    vlan-id 10;
    l3-interface vlan.10;
    }
    vlan20 {
    description Employee;
    vlan-id 20;
    l3-interface vlan.20;
    }
    }

    {master:0}

     

     



  • 2.  RE: How to load balance on SRX

     
    Posted 10-12-2017 21:16

    PFA.

    1) You can use any of the following for Duel ISP Loadbalancing   :

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB17223
    https://kb.juniper.net/InfoCenter/index?page=content&id=KB23417

    2) For implementing DHCP server as SRX use :

    https://www.juniper.net/documentation/en_US/junos/topics/example/security-device-dhcp-server-configuring.html

    3) You can block the IP subnet in firewall using security policy .

    Eg :

    from-zone trust to-zone untrust {
        policy trust-to-untrust {
            match {
                source-address x.x.x.x/24;   <<<< VLAN that you anted to block
                destination-address 0/0;
                application any;
            }
            then {
                deny;
            }
        }
    }