Junos OS

 View Only
last person joined: 21 hours ago 

Ask questions and share experiences about Junos OS.

  • 1.  First time setting up from scratch - looking for help

    Posted 11-11-2018 12:42

    Hey everyone,

     

    I've acquired an SRX100 firewall and EX-2200C switch for my home lab - and I am looking for some guidance.  I support these on my network at work, but I've never gotten to go through initial configuration myself.

     

    Currently, I am working with the SRX100.  I am looking to set it up as follows:

    192.168.100.0/24 = supernet

    192.168.100.1/26 = vlan-trust

    192.168.100.64/26 = vlan-iot

    192.168.100.129 = vlan-guest

    set vlans vlan-guest vlan-id 20
set vlans vlan-guest l3-interface vlan.2
set vlans vlan-iot vlan-id 10
set vlans vlan-iot l3-interface vlan.1
set vlans vlan-trust vlan-id 30
set vlans vlan-trust l3-interface vlan.0

    set interfaces fe-0/0/0 unit 0
    set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode access
    set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-iot
    set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode access
    set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces vlan unit 0 description "default vlan"
    set interfaces vlan unit 0 family inet address 192.168.100.1/26
    set interfaces vlan unit 1 description "IOT vlan"
    set interfaces vlan unit 1 family inet address 192.168.100.65/26
    set interfaces vlan unit 2 description "guest vlan"
    set interfaces vlan unit 2 family inet address 192.168.100.129/26

    Each of these vlans / interfaces are tied to different security zones:

    set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic system-services dhcp
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone iot-devices host-inbound-traffic system-services dhcp
set security zones security-zone iot-devices host-inbound-traffic system-services ping
set security zones security-zone iot-devices host-inbound-traffic protocols all
set security zones security-zone iot-devices interfaces vlan.1
set security zones security-zone guest host-inbound-traffic system-services dhcp
set security zones security-zone guest host-inbound-traffic protocols all
set security zones security-zone guest interfaces vlan.2

    However, when I plug my PC into fe-0/0/1 - and I am on vlan-iot - I cannot ping the gateway?  I get the proper DHCP address, but why can I not ping 192.168.100.64?

     

    Thanks

    Steve

     



  • 2.  RE: First time setting up from scratch - looking for help
    Best Answer

     
    Posted 11-11-2018 13:36
    Are you really pinging .64 and not .65? Also do yourself a favor and match your vlan unit numbers to your vlan ids—it’s less confusing. And explicitly define all vlans—skip vlan 0.


  • 3.  RE: First time setting up from scratch - looking for help

    Posted 11-12-2018 06:17

    Thank you.  I was so focused on the config being the issue, I wasn't thinking. 

     

    .65 was the way to go.  Thanks for the advice on vlan unit/id.

     

    Steve