Expand all | Collapse all

Secure-access-port questions....

Jump to Best Answer
  • 1.  Secure-access-port questions....

    Posted 09-26-2018 12:54
    I have an srx240b2. I have chosen to try the secure-access-port option for the ports that I use. They are ge-0/0/1.0 to ge-0/0/15.0 . I know that I want to use them on those ports. My question is..... If I use this option on port ge-0/0/0.0 will it be a waste of code. I use port ge-0/0/0.0 for my modem(wan) connection. It is DHCP enabled. Will the SRX utilize the Mac attributes from the modem? I assume that nat will take care of the Mac attributes from the external. Should I turn on secure-access-port on the ge-0/0/0.0 port?

  • 2.  RE: Secure-access-port questions....
    Best Answer

    Posted 09-26-2018 20:21

    Hi Eugene


    If ge-0/0/0.0 is DHCP enabled then it is a L3 interface (family inet) and you cannot use secure-access-port on a L3 interface but only in L2 interfaces (family ethernet-switching).

    If you configure a L3 interface under [edit ethernet-switching-options secure-access-port interface ] hierarchy and this interface is family inet, the SRX will report an error upon commit stating that the L3 interface doesnt exitst. See below:



    root@SRX1# show interfaces
    fe-0/0/3 {
        unit 0 {
            family inet;
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching;



    We include both interfaces under secure-access-port:



    root@SRX1# show ethernet-switching-options
    secure-access-port {
        interface fe-0/0/3.0 {
            mac-limit 1 action log;
        interface fe-0/0/4.0 {
            mac-limit 1 action log;


    Upon commit you will receive an error that the L3 interface (fe-0/0/3) doesnt exist:


    root@SRX1# commit check
    [edit ethernet-switching-options secure-access-port]
      'interface fe-0/0/3.0'
        Interface fe-0/0/3.0 not found
    error: configuration check-out failed

    If we remove the L3 interface only then the commit works:


    root@SRX1# delete ethernet-switching-options secure-access-port interface fe-0/0/3.0
    root@SRX1# commit check
    configuration check succeeds

    I hope the above info is helpful. Smiley Wink



  • 3.  RE: Secure-access-port questions....

    Posted 09-27-2018 04:02

    I realize it is simple enough to try the code first. My environment is a harsh location. This is why.

    My version is 11.47xxx , the output was...


    There were error(s) delivering the configuration.

    'interface ge-0/0/0.0'

    1) Interface ge-0/0/0.0 not found
    2) configuration check-out failed


    thx for the help. Knowing a little more info helped.

  • 4.  RE: Secure-access-port questions....

    Posted 09-27-2018 09:02

    You are very welcome Eugene, thanks for marking the post as resolved!