SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

How to configure multiple SRX210 devices for SSH

  • 1.  How to configure multiple SRX210 devices for SSH

    Posted 06-03-2021 11:54
    Hello All,

    this is my first post to this forum so please let me know if I over step or should have posted this question somewhere else.  I have recently bought several second-hand SRX210 devices to give me some real hardware to play with before embarking on some Juniper exams.  I've successfully configured a single OSPF area and routed traffic between nodes as well as, more recently, configured them to perform L2 switching and L3 VLAN routing. I could even route between the loopback interfaces and ssh to each device both directly and from one another as the OSPF routing table seemed to include the loopback interfaces too.

    The VLAN stuff has several VLANs setup and configured and then IRB (although it seems to not be call that on these older devices) so that the traffic can be routed between the VLANs.  I've also configured an LAG using the two GE ports on each SRX device and I've got traffic (ICMP) flowing between the ports.

    All of this configuration has been completed with me plugged into the console port of the SRX and having multiple serial sessions open at the same time.  What I'd like to be able to do is have each SRX with its own IP address that I can use to either directly SSH onto a device or hope from one CLI to the next by issuing an SSH command from with the SRX itself.

    The problem is I don't know where to start with this.  The loopback ports don't seem to do what I want in this config as there is no route due to the ports being configured as ethernet-switching and I can't find any information on how to set a device IP address.

    I can share the config if it'll help but if anyone has any pointers to get me started I'd be most appreciative.

    Thanks in advance,.

    ------------------------------
    JASON JAMES
    ------------------------------


  • 2.  RE: How to configure multiple SRX210 devices for SSH

     
    Posted 06-03-2021 20:11
    You will need to enable ssh under system.

    set system services ssh

    To reach the loopback address your computer will need a route that includes hitting the SRX.
    You can also ssh to the interface ip in the vlan your computer is connected. 

    If the SRX is in "flow mode" as an active firewall and not "packet mode" as a router, you will also need to enable ssh for the zone you are entering from.

    set security zones security-zone Trust host-inbound-traffic system-services all ( or specific services like ssh)



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: How to configure multiple SRX210 devices for SSH

    Posted 06-05-2021 02:14
    Steve,

    many thanks.  I think I have that covered off in my config now but there's still somethings I can't get straight in my head.

    Firstly, each of my two SRX devices has a different lo0 address (1.1.1.1 & 1.1.1.2 respectively) but since all the ports are switch ports, not routed ports as shown below in my interfaces configuration, how can I establish a route between 1.1.1.1/32 and 1.1.1.2/32?

    interfaces {
        ge-0/0/0 {
            gigether-options {
                802.3ad ae0;
            }
        }
        ge-0/0/1 {
            gigether-options {
                802.3ad ae0;
            }
        }
        fe-0/0/2 {
            unit 0 {
                family ethernet-switching { 
                    vlan {
                        members vlan-home;
                    }
                }
            }
        }
        fe-0/0/3 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-home;
                    }
                }
            }
        }
        fe-0/0/4 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-home;
                    }
                }
            }                               
        }
        fe-0/0/5 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-work;
                    }
                }
            }
        }
        fe-0/0/6 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-work;
                    }
                }
            }
        }
        fe-0/0/7 {
            unit 0 {
                family ethernet-switching {
                    vlan {                  
                        members vlan-work;
                    }
                }
            }
        }
        ae0 {
            aggregated-ether-options {
                minimum-links 1;
                lacp {
                    active;
                    periodic fast;
                }
            }
            unit 0 {
                family ethernet-switching {
                    port-mode trunk;
                    vlan {
                        members [ vlan-home vlan-work vlan-fam ];
                    }
                }
            }
        }
        lo0 {                               
            unit 0 {
                family inet {
                    address 1.1.1.1/32;
                }
            }
        }
        vlan {
            unit 0 {
                family inet {
                    address 192.168.1.1/24;
                }
            }
            unit 10 {
                family inet {
                    address 192.168.10.1/24;
                }
            }
            unit 20 {
                family inet {
                    address 192.168.20.1/24;
                }
            }
            unit 30 {                       
                family inet {
                    address 192.168.30.1/24;
                }
            }
            unit 99 {
                family inet {
                    address 192.168.99.1/24;
                }
            }
        }
    }​


    Secondly, and this behaviour is very strange. I can't ssh from the cli of 1.1.1.1 to 1.1.1.2 but if I use something like PuTTy to ssh to 192.168.10.1 (the IP address of vlan.10), even though my PC is physical connected to my SRX named R3, the CLI shows up for SRX R4?

    Anything else you think I should be looking at?  I've appended my fully config for R3 below in case I've missed anything.

    ## Last commit: 2021-06-05 05:42:55 UTC by root
    version 12.1X46-D55.3;
    system {
        host-name R3;
        root-authentication {
            encrypted-password "$1$ENl66cQh$4Eg/uWocouzZOTMs4oqy6/"; ## SECRET-DATA
        }
        name-server {
            208.67.222.222;
            208.67.220.220;
        }
        services {
            ssh {
                root-login allow;
                protocol-version v1;
            }
            telnet;
            xnm-clear-text;
            web-management {
                http {
                    interface vlan.10;
                }
                https {
                    system-generated-certificate;
                    interface vlan.10;
                }
            }
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any critical;
                authorization info;
            }
            file interactive-commands {
                interactive-commands error;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }                               
        }
    }
    chassis {
        aggregated-devices {
            ethernet {
                device-count 2;
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            gigether-options {
                802.3ad ae0;
            }
        }
        ge-0/0/1 {
            gigether-options {
                802.3ad ae0;
            }
        }
        fe-0/0/2 {
            unit 0 {
                family ethernet-switching { 
                    vlan {
                        members vlan-home;
                    }
                }
            }
        }
        fe-0/0/3 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-home;
                    }
                }
            }
        }
        fe-0/0/4 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-home;
                    }
                }
            }                               
        }
        fe-0/0/5 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-work;
                    }
                }
            }
        }
        fe-0/0/6 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-work;
                    }
                }
            }
        }
        fe-0/0/7 {
            unit 0 {
                family ethernet-switching {
                    vlan {                  
                        members vlan-work;
                    }
                }
            }
        }
        ae0 {
            aggregated-ether-options {
                minimum-links 1;
                lacp {
                    active;
                    periodic fast;
                }
            }
            unit 0 {
                family ethernet-switching {
                    port-mode trunk;
                    vlan {
                        members [ vlan-home vlan-work vlan-fam ];
                    }
                }
            }
        }
        lo0 {                               
            unit 0 {
                family inet {
                    address 1.1.1.1/32;
                }
            }
        }
        vlan {
            unit 0 {
                family inet {
                    address 192.168.1.1/24;
                }
            }
            unit 10 {
                family inet {
                    address 192.168.10.1/24;
                }
            }
            unit 20 {
                family inet {
                    address 192.168.20.1/24;
                }
            }
            unit 30 {                       
                family inet {
                    address 192.168.30.1/24;
                }
            }
            unit 99 {
                family inet {
                    address 192.168.99.1/24;
                }
            }
        }
    }
    protocols {
        stp;
    }
    security {
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;              
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {              
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            default-policy {
                permit-all;                 
            }
        }
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    vlan.0;
                    vlan.10;
                    vlan.20;
                    vlan.30;
                    vlan.99;
                }
            }
            security-zone untrust {
                screen untrust-screen;
            }                               
        }
    }
    vlans {
        vlan-fam {
            vlan-id 30;
            l3-interface vlan.30;
        }
        vlan-home {
            vlan-id 10;
            l3-interface vlan.10;
        }
        vlan-mgt {
            vlan-id 99;
            l3-interface vlan.99;
        }
        vlan-trust {
            vlan-id 3;
            l3-interface vlan.0;
        }
        vlan-work {
            vlan-id 20;
            l3-interface vlan.20;
        }                                   
    }

    Thanks in advance.



    ------------------------------
    JASON JAMES
    ------------------------------



  • 4.  RE: How to configure multiple SRX210 devices for SSH

    Posted 06-05-2021 16:48
    I think I finally sorted the IP address issue for multiple devices.  By mistake I setup the IP address of the management vlan to be the same on all devices, just as one would if it were the gateway address for a particular vlan.  When I set the vlan.99 (vlan-mgt) to be different on each device I found I was able to connect to them all, either via separate PuTTy sessions of from SRX to SRX via the SSH cli command.

    One device is still behaving strangely and the connection seems to time-out very quickly, but I investigating that and wonder if it's something to do with the JUNOS version.  The two devices have different different OS versions and since the devices are second hand I don't know of a way to obtain an OS image that I can upload to each of my appliances.  Any thoughts?

    Thanks again.

    ------------------------------
    JASON JAMES
    ------------------------------