Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  Getting started with SRX but having issues with VLAN + NAT + DHCP

    Posted 05-06-2021 04:21

    Hello,

    I'm just getting started with SRX ( I have some experience with the EX line) but I have some issues setting up an interface which is set in vlan access mode and having DHCP + natting enabled on that interface. Following is my config:

    version 20.4R1-S1.2;
    system {
        host-name CM_TEST;
        root-authentication {
            encrypted-password ""; ## SECRET-DATA
        }
        services {
            ssh {
                root-login allow;
                protocol-version v2;
            }
            netconf {
                ssh;
            }
            dhcp-local-server {
                group MGMT {
                    interface irb.310;
                }
            }
            web-management {
                https {
                    system-generated-certificate;
                }
            }
        }
        time-zone UTC;
        authentication-order [ radius password ];
        name-server {
            1.1.1.1;
            1.0.0.1;
        }
        radius-server {
            10.10.8.109 secret ""; ## SECRET-DATA
        }
        syslog {
            file messages {
                any any;
                authorization info;
            }
            file interactive-commands {
                interactive-commands any;
            }
        }
        ntp {
            server 193.190.147.153;
        }
    }
    chassis {
        alarm {
            management-ethernet {
                link-down ignore;
            }
        }
    }
    security {
        nat {
            source {
                rule-set Local-To-WAN {
                    from zone trust;
                    to zone untrust;
                    rule SNAT-WAN {
                        match {
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        zones {
            security-zone untrust {
                host-inbound-traffic {
                    system-services {
                        dhcp;
                        https;
                        ping;
                        ssh;
                        ike;
                        traceroute;
                    }
                }
                interfaces {
                    ge-0/0/0.0;
                }
            }
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    irb.310;
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    dhcp;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    interface-mode access;
                    vlan {
                        members VLAN_MGMT;
                    }
                }
            }
        }
        irb {
            unit 310 {
                family inet {
                    address 10.33.6.1/28;
                }
            }
        }
    }
    access {
        address-assignment {
            pool MGMT {
                family inet {
                    network 10.33.6.0/28;
                    range MGMT_RANGE {
                        low 10.33.6.2;
                        high 10.33.6.14;
                    }
                    dhcp-attributes {
                        maximum-lease-time 14400;
                        name-server {
                            1.1.1.1;
                            1.0.0.1;
                        }
                        router {
                            10.33.6.1;
                        }
                    }
                }
            }
        }
    }
    protocols {
        lldp {
            interface all;
        }
        lldp-med {
            interface all;
        }
    }
    vlans {
        VLAN_MGMT {
            vlan-id 310;
            l3-interface irb.310;
        }
    }


    committing this gives the error:

    [edit security zones security-zone trust]
      'interfaces irb.310'
        Interface irb is not allowed in mix mode
    error: configuration check-out failed


    when changing that interface to ge0/0/1.0 this works but I get an issue on the nat config:

    [edit security nat source rule-set Local-To-WAN]
      'from'
        From zone can not be a L2 zone.

    I would like to use this vlan structure as this allows me to bridge the vlan to another interface as well. While setting the vlan directly on the interface like the following does not allow me to do that right?

    ge-0/0/1 {
            vlan-tagging;
            unit 0 {
                vlan-id 310;
                family inet {
                    address 10.33.6.1/28;
                }
            }
        }
    

    I read this on SRX mixed mode on mixed mode but I am unsure how I would be able to have one vlan coming out of multiple interfaces having DHCP + NAT support.



    ------------------------------
    Gianni Stubbe
    ------------------------------



  • 2.  RE: Getting started with SRX but having issues with VLAN + NAT + DHCP

    Posted 05-06-2021 05:58
    Sounds like you really don't need mixed mode or any of the layer 2 mode security features.  These are used when you need to insert the SRX at layer 2 and not with routing layer 3 between devices.  These are generally used to isolate a device within a subnet for higher security.

    When you use mixed mode you have zones that are for communication within a layer 2 domain and normal layer 3 zones and you cannot mix them in policy.

    Once you move out of mixed mode, you don't need to declare access port for an untagged interface connected to a vlan.  There are two options for the layer 3 interface. 

    If this is a dedicated layer 3 port for that vlan you just add family inet address and the SRX is now the gateway for the vlan.

    If you need multiple untagged ports, the irb interface is created and all the interfaces are bridged with that l3 interface under vlans.  Only the irb interface needs to be added to the security zone.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Getting started with SRX but having issues with VLAN + NAT + DHCP

    Posted 05-06-2021 09:30
    Thanks for the reply it seems this was an issue with the vSRX image I was using in GNS3 and I not see the issue on hardware (SRX345).

    ------------------------------
    Gianni Stubbe
    ------------------------------