SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  ge-0/0/0 static IP + part of switch group?

    Posted 12-06-2021 19:55
    I want to set ge-0/0/0.0 as a static IP, but also have it in a group acting as a switch for members ge-0/0/0-6, is this possible? So far I have:

    interface-range interfaces-internet {
        member ge-0/0/1;
        member ge-0/0/2;
        member ge-0/0/3;
        member ge-0/0/4;
        member ge-0/0/5;
        member ge-0/0/6;
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-internet;
                }
            }
        }
    }
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 1.2.3.4/24;
            }
        }
    }
    ​
    show vlans 
    vlan-internet {
        vlan-id 2;
    }
    


    But I think that just means I'll have to run a jumper from ge-0/0/0 to any of the interfaces from ge-0/0/1-6, then hook another jumper from ge-0/0/1-6 to the internet? I want to hook a few other devices to the internet /24 without using another upstream switch, is this possible?



  • 2.  RE: ge-0/0/0 static IP + part of switch group?
    Best Answer

     
    Posted 12-08-2021 18:21
    For this type of setup you would have all the physical ports be layer two in the same vlan.

    Then create a virtual layer 3 port for the ip address in the vlan.  Depending on the Juniper model the virtual interface is either vlan.# (old style ex/srx) or irb.# (mx style now used by all devices).

    In the vlans stanza you add the interface as layer 3 interface 
    set vlans vlan-internet l3-interface irb.2 
    (or vlan.2 if on an older device)

    Then configure that interface and unit under interfaces normally.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: ge-0/0/0 static IP + part of switch group?

    Posted 12-08-2021 05:39
    Okay, so I have something like:
    [edit interfaces]
    root# show 
    interface-range interfaces-trust {
        member ge-0/0/8;
        member ge-0/0/9;
        member ge-0/0/10;
        member ge-0/0/11;
        member ge-0/0/12;
        member ge-0/0/13;
        member ge-0/0/14;
        member ge-0/0/15;
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    interface-range interfaces-internet {
        member ge-0/0/1;
        member ge-0/0/2;
        member ge-0/0/3;
        member ge-0/0/4;
        member ge-0/0/5;
        member ge-0/0/6;
        member ge-0/0/0;
        unit 2 {
            family ethernet-switching {
                vlan {
                    members vlan-internet;
                }
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
        unit 2 {
            family inet {
                address 1.2.3.4/24;
            }
        }
    }
    
    root# show vlans 
    vlan-internet {
        vlan-id 2;
        l3-interface vlan.2;
    }
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
    ​


    This is on a SRX-240, am I understand what you're saying?




  • 4.  RE: ge-0/0/0 static IP + part of switch group?

     
    Posted 12-08-2021 05:42
    Yes that would be the vlan and layer 3 configuration.

    On an SRX if you are still in normal firewall flow mode you will also need to add the layer 3 vlan.0 and vlan.1 interfaces to the desired security zone and then have the necessary security policy in place to allow the traffic as well.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: ge-0/0/0 static IP + part of switch group?

    Posted 12-08-2021 16:05
    I'm trying to commit the code and getting:
    commit check 
    [edit]
      'unit 2'
        Only unit 0 is valid for this encapsulation​


    I'll build the zones and firewall rules too, once I get the switch group ge-0/0/0-6 defined with a static IP.




  • 6.  RE: ge-0/0/0 static IP + part of switch group?

    Posted 12-08-2021 16:05
    I got the error to stop by changing interfaces-internet to unit 0, so I now have:
    root# show interfaces
    interface-range interfaces-trust {
        member ge-0/0/8;
        member ge-0/0/9;
        member ge-0/0/10;
        member ge-0/0/11;
        member ge-0/0/12;
        member ge-0/0/13;
        member ge-0/0/14;
        member ge-0/0/15;
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    interface-range interfaces-internet {
        member ge-0/0/1;
        member ge-0/0/2;
        member ge-0/0/3;
        member ge-0/0/4;
        member ge-0/0/5;
        member ge-0/0/6;
        member ge-0/0/0;
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-internet;
                }
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
        unit 2 {
            family inet {
                address 1.2.3.4/24;
            }
        }
    }
    
    [edit]
    root# show vlans
    vlan-internet {
        vlan-id 2;
        l3-interface vlan.2;
    }
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
    ​

    Will this work?

    Also, when I tried to assign untrust zone to the internet-interfaces vlan it wouldn't let me:
    root# set security zones security-zone untrust interfaces int
                                                              ^
    invalid interface type in 'int' at 'int'
    root# set security zones security-zone untrust interfaces ?     
    Possible completions:
      <interface-unit>     Logical interface
      ge-0/0/0.0           Logical interface
      vlan                 
    [edit]
    root# set security zones security-zone untrust interfaces vlan 2
                                                                   ^
    syntax error.
    root# set security zones security-zone untrust interfaces vlan ?   
    Possible completions:
      <[Enter]>            Execute this command
    + apply-groups         Groups from which to inherit configuration data
    + apply-groups-except  Don't inherit configuration data from these groups
    > host-inbound-traffic  
      |                    Pipe through a command
    [edit]
    root# set security zones security-zone untrust interfaces vlan int
                                                                   ^
    syntax error.
    root# ...rity-zone untrust interfaces vlan interfaces-internet                
                                               ^
    syntax error.
    ​

    So I'm not sure what to call the logical interfaces, or how to refer to it via vlan.




  • 7.  RE: ge-0/0/0 static IP + part of switch group?

    Posted 12-08-2021 16:07
    I figured that out, I had to use interface vlan.2, then the commit check passed. Does my config look sane now? I will try to test.


  • 8.  RE: ge-0/0/0 static IP + part of switch group?

     
    Posted 12-08-2021 16:11
    Yes looks like it is on the right track.  The default policies already in place for the trust and untrust zones will apply to these new interface groups once the vlan.0 and vlan.2 interfaces are assigned to those zones.

    Naturally, you can customize or change security policy too.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------