SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX100 and Unifi AP - 2 subnets on 1 interface required

    Posted 04-19-2018 15:01

    Hello everybody

    I  have following setup

    modem --> SRX100--> Netgear GS716Tv3 switch--> (rest of th network including Hyper-V infrustructure, DC/DHCP, and Unifi WAP)

     

    On SRX100 I have folllowing interfaces that are all part of vlan1 configured with an ip address of 192.168.1.254/24 and Windows Server (DC) is a DHCP server for this subnet.

    fe-0/0/1 - fe-0/0/6

     

    Interface fe-0/0/7 is currently configured with ip address 10.0.20.1/24 and SRX100 is DHCP for this subnet (Unifi Access Point is plugged in to and ir works fine).


    Here is what I need to do:

    interfaces fe-0/0/1 - fe-0/0/6 are ok -no changes needed
    I want to have 2 subnets on interface fe-0/0/7 - one of this sunets (10.0.20.1/24) will be used for home Wi-Fi and second must be the same as existing subnet on interfaces fe-0/0/1 - fe-0/0/6 (192.168.1.254/24)


    I tried to change interface fe-0/0/7 to vlan-tagging and created two vlans on this interface but once I added 192.168.1.254/24 site lost access to the Internet.

     

    My question is: How to create 2 subinterfaces (or Vlans) on fe-0/0/7 intarface so that Unifi AP that is conncted to this interface has two Wi-Fi networks on two different subnets (one of them able to communicate with office hyper-V infrsutructure on 192.168.1.0/24 subnet)?

     

    I'm new to Juniper cli so please support your suggestions with commands to run if possible.

    Any help would be much appreciated. Thank you.



  • 2.  RE: SRX100 and Unifi AP - 2 subnets on 1 interface required
    Best Answer

    Posted 04-21-2018 07:32

    It sounds like you have fe-0/0/7 defined as “family inet”, but it sounds like you want to configure it for “family ethernet-switching”, “port-mode trunk”, and add the vlans with “vlan members”.  You will also have to add the new “vlan interface” to a security zone. 

      

    (Without seeing your config, this probably won’t be a direct “copy and paste” into your config, but it should give you an idea of what would be required.)

     

    set interfaces fe-0/0/7 description “Trunk Interface”

    set interfaces fe-0/0/7 unit 0 family ethernet-switching port-mode trunk   

    set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members Home

    set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members HyperV

    set interfaces fe-0/0/7 unit 0 family ethernet-switching native-vlan-id 3          <<sends untagged packets to Home VLAN, may or may not be needed for your config

     

    set interfaces vlan unit 3 description "Home VLAN"

    set interfaces vlan unit 3 family inet address 10.0.20.1/24

    set interfaces vlan unit 4 description “Hyper-V VLAN"

    set interfaces vlan unit 4 family inet address 192.168.1.1/24

     

    set security zones security-zone Home interfaces vlan.3

    set security zones security-zone HyperV interfaces vlan.4

     

    set vlans Home vlan-id 3

    set vlans Home l3-interface vlan.3

    set vlans HyperV vlan-id 4

    set vlans HyperV l3-interface vlan.4

     



  • 3.  RE: SRX100 and Unifi AP - 2 subnets on 1 interface required

    Posted 04-23-2018 13:32
      |   view attached

    Thanks JLB_H

    I applied configuration remotely but didn't have a chance to test. I'll be on site tomorrow morning to test and I'll let you know the outcome.

    btw, here is my configuration (only relevant portion of it).

     

    Policy CAS_LAN_to_HOME_LAN just to be able to ping for troubleshooting purposes. Please let me know if this looks ok to you.

     

    Attachment(s)

    txt
    config.txt   2 KB 1 version


  • 4.  RE: SRX100 and Unifi AP - 2 subnets on 1 interface required

    Posted 04-23-2018 16:19

    From your included config snippets:

     

    1. Your “interface-range interfaces-trust” still includes “fe-0/0/7”, but In the config snippet shown, the interface range really isn’t doing anything. Depending on what is missing, this might cause issues trying to commit this config.
    2. Interfaces vlan.1 and vlan.4 have addresses within the same subnet. You probably don’t want this, and it may not commit.  If it does, you might have some unexpected results.
    3. Your source NAT rule is written for “security zone trust”, but using addresses from “security zone Home” and “security zone Office”. If you’re expecting source NAT to work to the Internet, you might be in for a surprise.
    4. Your policy is setup from “trust” to “home”, but you’ve defined addresses that appear to be from “Office” to “Home”.
    5. I personally prefer my VLAN id to match my VLAN unit number, but it really shouldn’t cause any issues as long as you can keep track of what is what.


  • 5.  RE: SRX100 and Unifi AP - 2 subnets on 1 interface required

    Posted 04-24-2018 01:31

    I'm rfering to point 2 you mentioned:

     

    2. Interfaces vlan.1 and vlan.4 have addresses within the same subnet. You probably don’t want this, and it may not commit.  If it does, you might have some unexpected results.

     

    yes I am aware they are on the same subnet but that was stated in my original question. I want devices connected to vlan.4 to be able to communicate with office network/servers on 192.168.1.254/24 subnet. 

     

    In this case should I keep these 2 vlans on interface fe-0/0/7 (vlan.3 and vlan.4) or leave this interface in vlan.1 for untagged packets to be sent to my Unifi AP and then have only 1 vlan on  on this interface for subnet 10.0.20.0/24 for Home wifi?



  • 6.  RE: SRX100 and Unifi AP - 2 subnets on 1 interface required

    Posted 04-24-2018 01:53

    I just realised that I don't have to have Office vlan.4 on teh same subnet as vlan.1 is for them to be able to comunicate. I can just create policies to allow traffic.



  • 7.  RE: SRX100 and Unifi AP - 2 subnets on 1 interface required

    Posted 04-24-2018 06:12
      |   view attached

    Ok, I addressed all your suggestions. Plese see config attached.

     

     

    The problem I'm having now is that dhcp service I created on vlan.3 is not distributing ip addresses to clients. Any idea why?

    Also, I am unable to create another DHCP server on vlan.4 . Afer running below command to add dhcp on vlan.4, dhcp pool is being added to vlan.3 instead of vlan.4. Any idea why?

    set system services dhcp pool 192.168.10.0/24 address-range low 192.168.10.10
    set system services dhcp pool 192.168.10.0/24 address-range high 192.168.10.199
    set system services dhcp pool 192.168.10.0/24 router 192.168.10.1
    set system services dhcp propagate-settings vlan.4

     

    I then tried having two dhcp pools on fe-0/0/7 interface but that didn't work either.

     

    Another problem; even after assigning static ip address in 10.0.20.0/24 sunet to my laptop I was unable to connect to the internet so I think there is some problem with nat policies.

     

    Any problem with the config or I should look elswere (switch/WAP) for problems?

    Attachment(s)

    txt
    config.txt   16 KB 1 version


  • 8.  RE: SRX100 and Unifi AP - 2 subnets on 1 interface required

    Posted 04-24-2018 07:09

    I'm not sure I understand the reasoning for both "vlan1" and "Home", if they need to be on the same subnet, why not use a single VLAN/zone?

     

    I haven't used the "old" method for configuring DHCP in a while, the "new style" DHCP config would look something like this:


    set system services dhcp-local-server group DHCP interface vlan.20

    set system services dhcp-local-server group DHCP interface vlan.22
    set access address-assignment pool Home family inet network 192.168.20.0/24
    set access address-assignment pool Home family inet range RANGE-20 low 192.168.20.1
    set access address-assignment pool Home family inet range RANGE-20 high 192.168.20.199
    set access address-assignment pool Home family inet dhcp-attributes server-identifier 192.168.20.254
    set access address-assignment pool Home family inet dhcp-attributes domain-name home.com
    set access address-assignment pool Home family inet dhcp-attributes name-server 192.168.20.223
    set access address-assignment pool Home family inet dhcp-attributes router 192.168.20.254

    set access address-assignment pool Lab family inet network 172.22.0.0/24
    set access address-assignment pool Lab family inet range RANGE-172-22-0 low 172.22.0.50
    set access address-assignment pool Lab family inet range RANGE-172-22-0 high 172.22.0.99
    set access address-assignment pool Lab family inet dhcp-attributes server-identifier 172.22.0.254
    set access address-assignment pool Lab family inet dhcp-attributes domain-name lab.com
    set access address-assignment pool Lab family inet dhcp-attributes name-server 208.67.222.222
    set access address-assignment pool Lab family inet dhcp-attributes name-server 208.67.220.220
    set access address-assignment pool Lab family inet dhcp-attributes router 172.22.0.254


    As for your NAT config, you've done it a little different than I normally would...

    set security nat source rule-set Home_to_untrust from zone Home
    set security nat source rule-set Home_to_untrust to zone untrust
    set security nat source rule-set Home_to_untrust rule src-nat-Home match source-address 0.0.0.0/0
    set security nat source rule-set Home_to_untrust rule src-nat-Home then source-nat interface
    set security nat source rule-set Lab_to_untrust from zone Lab
    set security nat source rule-set Lab_to_untrust to zone untrust
    set security nat source rule-set Lab_to_untrust rule src-nat-Lab match source-address 0.0.0.0/0
    set security nat source rule-set Lab_to_untrust rule src-nat-Lab then source-nat interface



  • 9.  RE: SRX100 and Unifi AP - 2 subnets on 1 interface required

    Posted 04-26-2018 01:38

    Thanks for your reply.

    It is vlan1 and "Office" that needs to be on the same subnet. Home needs to be separated from the rest of the network. I wan't sure if I can have fe-0/0/7 interface aded to the same zone and vlan as other interfaces and then have another "subinterface" on fe-0/0/7 on another zone/subnet. I thought that the only way to achieve what I neeed was by having 2 vlans on fe-0/0/7 interface but now I know I was wrong.

     

    Thanks for dhcp/nat commands; I'll try them next week once I'm in the Office.



  • 10.  RE: SRX100 and Unifi AP - 2 subnets on 1 interface required

    Posted 04-03-2019 10:55

    Hi,

     

    After almost 12 months I finally had a chance to readdress this issue and decided to send an update for everyone else who might be experiencing teh same problem;

    Solution above preatty much worked but the dhcp problem I was experiencing was due to;

    1. I was assigning dhcp service to vlans using inorrect command. I was using

    set system services dhcp propagate-settings vlan.3,vlan.4

    That didn't work.

    Instead I ran following commands for each dhcp pool respectively

    set system services dhcp pool 10.0.20.0/24 propagate-settings vlan.3

    set system services dhcp pool 192.168.10.0/24 propagate-settings vlan.4

    2. I had a 'stp' protocol enabled.

    After running following command I realised that my vlan interfaces are set to 'blocked by stp':

    show ethernet-switching interfaces

    This was causing for teh Wi-Fi clients connected to vlan.1 and vlan.3 not receiving IP addresses from DHCP. After I ran following command 'tagged' interfaces changed their status to 'ublocked' and dhcp started distributing IP addresses to clients on these two vlans.

    disable protocols stp

     

    At this stage I'm not sure if it is safe to leave this protocol disabled and I'll have to do some more research on this however disableing stp resolved my problem.

    If anyone would be willing to shed some light on whether it is safe to leave this protocol disabled or not that would be great.

    Or maybe I should disable this protocol only on my trunk interface?

    Thanks for your help.