SRX

Hi there,

I have a srx-320 in a test environment with this config:

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.20.30.2/29;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.20.31.1/24;
            }
        }
    }
}

I'm searching for a solution to have the same network address 10.20.31.0/24 on both ge-0/0/1 and ge-0/0/2. I have 2 switches and would like to connect each switch to each own port on the srx320. I'm prefer inet before ethernet switching if it's possible. Thank you for your help.

You need to configure both interfaces as family ethernet-switching, assign them to a vlan and ceate irb interface for l3 connectivity

delete interfaces ge-0/0/1
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 10
set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members 10
set interface irb.10 family inet address 10.20.31.1/24
set vlans vlan10 vlan-id 10
set vlans vlan10 l3-interface irb.10

Regards, Wojtek

Tha nk You very much, it's great. My dhcp service stop working and I've changed the dhcp groups ge-0.0.0/0 to irb.10. Can you help?  this is my complete configuration:

## Last changed: 2018-11-08 13:37:02 GMT+1
version 15.1X49-D150.2;
system {
    host-name ALPSWALL_TEST;
    time-zone GMT+1;
    root-authentication {
        encrypted-password "greatpassword";
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
    }
    name-resolution {
        no-resolve-on-input;
    }
    services {
        ssh;
        xnm-clear-text;
        dhcp-local-server {
            group irbgroup {
                interface irb.10;
            }
        }
        web-management {
            https {
                system-generated-certificate;
            }
            session {
                idle-timeout 60;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server us.ntp.pool.org;
    }
}
chassis {
    aggregated-devices {
        ethernet {
            device-count 2;
        }
    }
}
security {
    alg {
        dns disable;
        ftp disable;
        h323 disable;
        mgcp disable;
        msrpc disable;
        sunrpc disable;
        rtsp disable;
        sccp disable;
        sip disable;
        talk disable;
        tftp disable;
        pptp disable;
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set nsw_srcnat {
                from zone [ DMZ Internal ];
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone Internet to-zone DMZ {
            policy All_Internet_DMZ {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy alllow_internet_to_dmz {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone DMZ to-zone Internet {
            policy alllow_internet_to_dmz {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internal to-zone Internet {
            policy All_Internal_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy allow_internet_to_dmz {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internet to-zone Internal {
            policy allow_internet_to_dmz {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internal to-zone DMZ {
            policy All_Internal_DMZ {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy allow_lan_to_dmz {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone DMZ to-zone Internal {
            policy allow_lan_to_dmz {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Internal;
        security-zone DMZ;
        security-zone Internet {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.20.30.2/29;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                interface-mode access;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                interface-mode access;
            }
        }
    }
    irb {
        unit 10 {
            family inet {
                address 10.20.31.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.20.30.1;
    }
}
access {
    address-assignment {
        pool irbpool {
            family inet {
                network 10.20.31.1/24;
                range irbrange {
                    low 10.20.31.100;
                    high 10.20.31.200;
                }
                dhcp-attributes {
                    name-server {
                        8.8.8.8;
                    }
                    router {
                        10.20.31.1;
                    }
                }
            }
        }
    }
}
vlans {
    vlan10 {
        vlan-id 10;
        l3-interface irb.10;
    }
}

Thank You for helping out here  🙂

So, I added both ge-0/0/1.0 and ge-0/0/2.0 to vlan10 in access mode, and here are my present config, below. Jdhcp still not giving addresses to clients. But even when I manually add ip on client 10.20.31.201, 255.255.255.0, GW 10.20.31.1, dns 8.8.8.8 the client does not get access to network.

What I'm I missing? Thank you..

## Last changed: 2018-11-09 08:24:56 GMT+1
version 15.1X49-D150.2;
system {
    host-name ALPSWALL_TEST;
    time-zone GMT+1;
    root-authentication {
        encrypted-password "greatpassword";
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
    }
    name-resolution {
        no-resolve-on-input;
    }
    services {
        ssh;
        xnm-clear-text;
        dhcp-local-server {
            group dhcpgroup {
                interface irb.10;
            }
        }
        web-management {
            https {
                system-generated-certificate;
            }
            session {
                idle-timeout 60;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server us.ntp.pool.org;
    }
}
chassis {
    aggregated-devices {
        ethernet {
            device-count 2;
        }
    }
}
security {
    alg {
        dns disable;
        ftp disable;
        h323 disable;
        mgcp disable;
        msrpc disable;
        sunrpc disable;
        rtsp disable;
        sccp disable;
        sip disable;
        talk disable;
        tftp disable;
        pptp disable;
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set nsw_srcnat {
                from zone [ DMZ Internal ];
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone Internet to-zone DMZ {
            policy All_Internet_DMZ {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy alllow_internet_to_dmz {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone DMZ to-zone Internet {
            policy alllow_internet_to_dmz {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internal to-zone Internet {
            policy All_Internal_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy allow_internet_to_dmz {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internet to-zone Internal {
            policy allow_internet_to_dmz {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internal to-zone DMZ {
            policy All_Internal_DMZ {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy allow_lan_to_dmz {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone DMZ to-zone Internal {
            policy allow_lan_to_dmz {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Internal;
        security-zone DMZ;
        security-zone Internet {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.20.30.2/29;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan10;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan10;
                }
            }
        }
    }
    irb {
        unit 10 {
            family inet {
                address 10.20.31.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.20.30.1;
    }
}
access {
    address-assignment {
        pool jdhcppool {
            family inet {
                network 10.20.31.0/24;
                range jdhcppool {
                    low 10.20.31.100;
                    high 10.20.31.200;
                }
                dhcp-attributes {
                    name-server {
                        8.8.8.8;
                    }
                    router {
                        10.20.31.1;
                    }
                }
            }
        }
    }
}
vlans {
    vlan10 {
        vlan-id 10;
        l3-interface irb.10;
    }
}

Please add irb.10 interfaces to Security Zone  and allow host-inbound traffic to allow dhcp

set security zones security-zone Internal host-inbound-traffic system-services all
set security zones security-zone Internal interfaces irb.10

Thank You.  It working perfectly, here is my test configfor any who might need it

---

@Nellikka wrote:

Please add irb.10 interfaces to Security Zone  and allow host-inbound traffic to allow dhcp

set security zones security-zone Internal host-inbound-traffic system-services all
set security zones security-zone Internal interfaces irb.10

 

---

:

## Last changed: 2018-11-09 11:08:45 GMT+1
version 15.1X49-D150.2;
system {
    host-name ALPSWALL_TEST;
    time-zone GMT+1;
    root-authentication {
        encrypted-password "greatpassword";
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
    }
    name-resolution {
        no-resolve-on-input;
    }
    services {
        ssh;
        xnm-clear-text;
        dhcp-local-server {
            group dhcpgroup {
                interface irb.10;
            }
        }
        web-management {
            https {
                system-generated-certificate;
            }
            session {
                idle-timeout 60;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server us.ntp.pool.org;
    }
}
chassis {
    aggregated-devices {
        ethernet {
            device-count 2;
        }
    }
}
security {
    alg {
        dns disable;
        ftp disable;
        h323 disable;
        mgcp disable;
        msrpc disable;
        sunrpc disable;
        rtsp disable;
        sccp disable;
        sip disable;
        talk disable;
        tftp disable;
        pptp disable;
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set nsw_srcnat {
                from zone Internal;
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone Internal to-zone Internet {
            policy All_Internal_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internet to-zone Internal {
            policy allow_internet_to_dmz {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Internal {
            host-inbound-traffic {
                system-services {
                    dhcp;
                }
            }
            interfaces {
                irb.10;
            }
        }
        security-zone Internet {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.20.30.2/29;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan10;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan10;
                }
            }
        }
    }
    irb {
        unit 10 {
            family inet {
                address 10.20.31.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.20.30.1;
    }
}
access {
    address-assignment {
        pool jdhcppool {
            family inet {
                network 10.20.31.0/24;
                range jdhcppool {
                    low 10.20.31.100;
                    high 10.20.31.200;
                }
                dhcp-attributes {
                    name-server {
                        8.8.8.8;
                    }
                    router {
                        10.20.31.1;
                    }
                }
            }
        }
    }
}
vlans {
    vlan10 {
        vlan-id 10;
        l3-interface irb.10;
    }
}