SRX

Expand all | Collapse all

SRX320, single lan accessed on two ports

Jump to Best Answer
  • 1.  SRX320, single lan accessed on two ports

    Posted 11-08-2018 04:12

    Hi there,

     

    I have a srx-320 in a test environment with this config:

     

    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 10.20.30.2/29;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family inet {
                    address 10.20.31.1/24;
                }
            }
        }
    }

     

     

    I'm searching for a solution to have the same network address 10.20.31.0/24 on both ge-0/0/1 and ge-0/0/2. I have 2 switches and would like to connect each switch to each own port on the srx320. I'm prefer inet before ethernet switching if it's possible. Thank you for your help.



  • 2.  RE: SRX320, single lan accessed on two ports

     
    Posted 11-08-2018 05:13

    You need to configure both interfaces as family ethernet-switching, assign them to a vlan and ceate irb interface for l3 connectivity

    delete interfaces ge-0/0/1
    set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 10
    set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members 10
    set interface irb.10 family inet address 10.20.31.1/24
    set vlans vlan10 vlan-id 10
    set vlans vlan10 l3-interface irb.10

    Regards, Wojtek



  • 3.  RE: SRX320, single lan accessed on two ports

    Posted 11-08-2018 06:43

    Tha nk You very much, it's great. My dhcp service stop working and I've changed the dhcp groups ge-0.0.0/0 to irb.10. Can you help?  this is my complete configuration:

     

    ## Last changed: 2018-11-08 13:37:02 GMT+1
    version 15.1X49-D150.2;
    system {
        host-name ALPSWALL_TEST;
        time-zone GMT+1;
        root-authentication {
            encrypted-password "greatpassword";
        }
        name-server {
            8.8.8.8;
            8.8.4.4;
        }
        name-resolution {
            no-resolve-on-input;
        }
        services {
            ssh;
            xnm-clear-text;
            dhcp-local-server {
                group irbgroup {
                    interface irb.10;
                }
            }
            web-management {
                https {
                    system-generated-certificate;
                }
                session {
                    idle-timeout 60;
                }
            }
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any notice;
                authorization info;
            }
            file interactive-commands {
                interactive-commands any;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
        ntp {
            server us.ntp.pool.org;
        }
    }
    chassis {
        aggregated-devices {
            ethernet {
                device-count 2;
            }
        }
    }
    security {
        alg {
            dns disable;
            ftp disable;
            h323 disable;
            mgcp disable;
            msrpc disable;
            sunrpc disable;
            rtsp disable;
            sccp disable;
            sip disable;
            talk disable;
            tftp disable;
            pptp disable;
        }
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set nsw_srcnat {
                    from zone [ DMZ Internal ];
                    to zone Internet;
                    rule nsw-src-interface {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone Internet to-zone DMZ {
                policy All_Internet_DMZ {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy alllow_internet_to_dmz {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone DMZ to-zone Internet {
                policy alllow_internet_to_dmz {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone Internal to-zone Internet {
                policy All_Internal_Internet {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy allow_internet_to_dmz {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone Internet to-zone Internal {
                policy allow_internet_to_dmz {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone Internal to-zone DMZ {
                policy All_Internal_DMZ {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy allow_lan_to_dmz {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone DMZ to-zone Internal {
                policy allow_lan_to_dmz {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone Internal;
            security-zone DMZ;
            security-zone Internet {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 10.20.30.2/29;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    interface-mode access;
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    interface-mode access;
                }
            }
        }
        irb {
            unit 10 {
                family inet {
                    address 10.20.31.1/24;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 10.20.30.1;
        }
    }
    access {
        address-assignment {
            pool irbpool {
                family inet {
                    network 10.20.31.1/24;
                    range irbrange {
                        low 10.20.31.100;
                        high 10.20.31.200;
                    }
                    dhcp-attributes {
                        name-server {
                            8.8.8.8;
                        }
                        router {
                            10.20.31.1;
                        }
                    }
                }
            }
        }
    }
    vlans {
        vlan10 {
            vlan-id 10;
            l3-interface irb.10;
        }
    }



  • 4.  RE: SRX320, single lan accessed on two ports

    Posted 11-08-2018 07:54
    I think you forgot to add vlan10 as vlan members in ge-0/0/1 and ge-0/0/2 interfaces.


  • 5.  RE: SRX320, single lan accessed on two ports

    Posted 11-09-2018 01:45

    Thank You for helping out here  🙂

     

    So, I added both ge-0/0/1.0 and ge-0/0/2.0 to vlan10 in access mode, and here are my present config, below. Jdhcp still not giving addresses to clients. But even when I manually add ip on client 10.20.31.201, 255.255.255.0, GW 10.20.31.1, dns 8.8.8.8 the client does not get access to network.

     

    What I'm I missing? Thank you..

     

    ## Last changed: 2018-11-09 08:24:56 GMT+1
    version 15.1X49-D150.2;
    system {
        host-name ALPSWALL_TEST;
        time-zone GMT+1;
        root-authentication {
            encrypted-password "greatpassword";
        }
        name-server {
            8.8.8.8;
            8.8.4.4;
        }
        name-resolution {
            no-resolve-on-input;
        }
        services {
            ssh;
            xnm-clear-text;
            dhcp-local-server {
                group dhcpgroup {
                    interface irb.10;
                }
            }
            web-management {
                https {
                    system-generated-certificate;
                }
                session {
                    idle-timeout 60;
                }
            }
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any notice;
                authorization info;
            }
            file interactive-commands {
                interactive-commands any;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
        ntp {
            server us.ntp.pool.org;
        }
    }
    chassis {
        aggregated-devices {
            ethernet {
                device-count 2;
            }
        }
    }
    security {
        alg {
            dns disable;
            ftp disable;
            h323 disable;
            mgcp disable;
            msrpc disable;
            sunrpc disable;
            rtsp disable;
            sccp disable;
            sip disable;
            talk disable;
            tftp disable;
            pptp disable;
        }
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set nsw_srcnat {
                    from zone [ DMZ Internal ];
                    to zone Internet;
                    rule nsw-src-interface {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone Internet to-zone DMZ {
                policy All_Internet_DMZ {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy alllow_internet_to_dmz {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone DMZ to-zone Internet {
                policy alllow_internet_to_dmz {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone Internal to-zone Internet {
                policy All_Internal_Internet {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy allow_internet_to_dmz {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone Internet to-zone Internal {
                policy allow_internet_to_dmz {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone Internal to-zone DMZ {
                policy All_Internal_DMZ {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy allow_lan_to_dmz {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone DMZ to-zone Internal {
                policy allow_lan_to_dmz {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone Internal;
            security-zone DMZ;
            security-zone Internet {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 10.20.30.2/29;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    interface-mode access;
                    vlan {
                        members vlan10;
                    }
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    interface-mode access;
                    vlan {
                        members vlan10;
                    }
                }
            }
        }
        irb {
            unit 10 {
                family inet {
                    address 10.20.31.1/24;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 10.20.30.1;
        }
    }
    access {
        address-assignment {
            pool jdhcppool {
                family inet {
                    network 10.20.31.0/24;
                    range jdhcppool {
                        low 10.20.31.100;
                        high 10.20.31.200;
                    }
                    dhcp-attributes {
                        name-server {
                            8.8.8.8;
                        }
                        router {
                            10.20.31.1;
                        }
                    }
                }
            }
        }
    }
    vlans {
        vlan10 {
            vlan-id 10;
            l3-interface irb.10;
        }
    }



  • 6.  RE: SRX320, single lan accessed on two ports
    Best Answer

    Posted 11-09-2018 02:28

    Please add irb.10 interfaces to Security Zone  and allow host-inbound traffic to allow dhcp

    set security zones security-zone Internal host-inbound-traffic system-services all
    set security zones security-zone Internal interfaces irb.10

     



  • 7.  RE: SRX320, single lan accessed on two ports

    Posted 11-09-2018 04:10

    Thank You.  It working perfectly, here is my test configfor any who might need it


    @Nellikka wrote:

    Please add irb.10 interfaces to Security Zone  and allow host-inbound traffic to allow dhcp

    set security zones security-zone Internal host-inbound-traffic system-services all
    set security zones security-zone Internal interfaces irb.10

     



    :

     

    ## Last changed: 2018-11-09 11:08:45 GMT+1
    version 15.1X49-D150.2;
    system {
        host-name ALPSWALL_TEST;
        time-zone GMT+1;
        root-authentication {
            encrypted-password "greatpassword";
        }
        name-server {
            8.8.8.8;
            8.8.4.4;
        }
        name-resolution {
            no-resolve-on-input;
        }
        services {
            ssh;
            xnm-clear-text;
            dhcp-local-server {
                group dhcpgroup {
                    interface irb.10;
                }
            }
            web-management {
                https {
                    system-generated-certificate;
                }
                session {
                    idle-timeout 60;
                }
            }
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any notice;
                authorization info;
            }
            file interactive-commands {
                interactive-commands any;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
        ntp {
            server us.ntp.pool.org;
        }
    }
    chassis {
        aggregated-devices {
            ethernet {
                device-count 2;
            }
        }
    }
    security {
        alg {
            dns disable;
            ftp disable;
            h323 disable;
            mgcp disable;
            msrpc disable;
            sunrpc disable;
            rtsp disable;
            sccp disable;
            sip disable;
            talk disable;
            tftp disable;
            pptp disable;
        }
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set nsw_srcnat {
                    from zone Internal;
                    to zone Internet;
                    rule nsw-src-interface {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone Internal to-zone Internet {
                policy All_Internal_Internet {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone Internet to-zone Internal {
                policy allow_internet_to_dmz {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone Internal {
                host-inbound-traffic {
                    system-services {
                        dhcp;
                    }
                }
                interfaces {
                    irb.10;
                }
            }
            security-zone Internet {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 10.20.30.2/29;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    interface-mode access;
                    vlan {
                        members vlan10;
                    }
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    interface-mode access;
                    vlan {
                        members vlan10;
                    }
                }
            }
        }
        irb {
            unit 10 {
                family inet {
                    address 10.20.31.1/24;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 10.20.30.1;
        }
    }
    access {
        address-assignment {
            pool jdhcppool {
                family inet {
                    network 10.20.31.0/24;
                    range jdhcppool {
                        low 10.20.31.100;
                        high 10.20.31.200;
                    }
                    dhcp-attributes {
                        name-server {
                            8.8.8.8;
                        }
                        router {
                            10.20.31.1;
                        }
                    }
                }
            }
        }
    }
    vlans {
        vlan10 {
            vlan-id 10;
            l3-interface irb.10;
        }
    }