SRX

Expand all | Collapse all

Secure-access-port questions....

Jump to Best Answer
  • 1.  Secure-access-port questions....

    Posted 09-26-2018 12:54
    I have an srx240b2. I have chosen to try the secure-access-port option for the ports that I use. They are ge-0/0/1.0 to ge-0/0/15.0 . I know that I want to use them on those ports. My question is..... If I use this option on port ge-0/0/0.0 will it be a waste of code. I use port ge-0/0/0.0 for my modem(wan) connection. It is DHCP enabled. Will the SRX utilize the Mac attributes from the modem? I assume that nat will take care of the Mac attributes from the external. Should I turn on secure-access-port on the ge-0/0/0.0 port?


  • 2.  RE: Secure-access-port questions....
    Best Answer

    Posted 09-26-2018 20:21

    Hi Eugene

     

    If ge-0/0/0.0 is DHCP enabled then it is a L3 interface (family inet) and you cannot use secure-access-port on a L3 interface but only in L2 interfaces (family ethernet-switching).

    If you configure a L3 interface under [edit ethernet-switching-options secure-access-port interface ] hierarchy and this interface is family inet, the SRX will report an error upon commit stating that the L3 interface doesnt exitst. See below:

     

     

    root@SRX1# show interfaces
    fe-0/0/3 {
        unit 0 {
            family inet;
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching;
        }
    }
    

     

     

    We include both interfaces under secure-access-port:

     

     

    [edit]
    root@SRX1# show ethernet-switching-options
    secure-access-port {
        interface fe-0/0/3.0 {
            mac-limit 1 action log;
            persistent-learning;
        }
        interface fe-0/0/4.0 {
            mac-limit 1 action log;
            persistent-learning;
        }
    }
    

     

    Upon commit you will receive an error that the L3 interface (fe-0/0/3) doesnt exist:

     

    [edit]
    root@SRX1# commit check
    [edit ethernet-switching-options secure-access-port]
      'interface fe-0/0/3.0'
        Interface fe-0/0/3.0 not found
    error: configuration check-out failed
    

    If we remove the L3 interface only then the commit works:

     

    [edit]
    root@SRX1# delete ethernet-switching-options secure-access-port interface fe-0/0/3.0
    
    [edit]
    root@SRX1# commit check
    configuration check succeeds
    

    I hope the above info is helpful. Smiley Wink

     

     



  • 3.  RE: Secure-access-port questions....

    Posted 09-27-2018 04:02

    I realize it is simple enough to try the code first. My environment is a harsh location. This is why.

    My version is 11.47xxx , the output was...

     

    There were error(s) delivering the configuration.

    Error(s):
    'interface ge-0/0/0.0'

    1) Interface ge-0/0/0.0 not found
    2) configuration check-out failed

     

    thx for the help. Knowing a little more info helped.



  • 4.  RE: Secure-access-port questions....

    Posted 09-27-2018 09:02

    You are very welcome Eugene, thanks for marking the post as resolved!