SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Help! Configuring interface

    Posted 07-20-2011 10:38

    Hi:

     

    Could use some help on this one. I am new to the SRX Junos and doing a conversion from Netscreen.


    #vlan


  • 2.  RE: Help! Configuring interface

    Posted 07-20-2011 11:52

    For starters, you don't have any IP for your untrust interface, nor any routing configured.  That would certainly cause traffic to go nowhere.

     

    Beyond that, you've got a funky combination of using L3 and L2 interface configurations, which is a result of Junos letting you do things in more than one way but not preventing you from overlapping them and having silly results.

     

    You need a vlan interface for your untrust side, either from the "default" vlan or a new vlan that you define for untrust, and you need to set up your L3 interface with an IP and appropriate routing.

     

    You're assigning VLAN membership in multiple places.  Again, this is one of those kind of stupid things that Junos does...  I suggest you pick one -- either assign VLAN memberships under the interface configuration, or assign interfaces under the VLAN configuration -- but NOT both.  Otherwise, you're just asking for mass confusion at some point.

     

    Assign your L3 interfaces to your security zones, not your physical (L2) interfaces, so don't do this:

     

    security-zone trust {
      host-inbound-traffic {
        system-services {
          all;
        }
        protocols {
          all;
        }
      }
      interfaces {
        vlan.0;
        ge-0/0/2.0;
      }
    }

    Take the ge-0/0/2.0 out of there...

     

    There is a learning curve from ScreenOS to Junos, and Junos really *does* have a lot of stupid things that it does and it won't warn you if you do something odd in a lot of cases.

     

    Writing a complete config for you is a bit much to ask of a forum support group, but we can help with individual questions as you run into them.



  • 3.  RE: Help! Configuring interface

    Posted 07-20-2011 14:05

    keithr:

     

    Thanks for your feedback. There's only one part that I am having difficulty grasping is how configuring the untrust interface to :

     

    1) allow a multivlan

     

    and to assign those vlan respectively to an interface on the trust. That's it, in netscreen this was taken cared for me when i populated the untrust IP information. But it appears this is not the case for junos. Prior to this configuration (setting untrust as trunk) I had it set as inet protocol family and assigned it the ISP ip given to me. But that didn't work. Am i suppose to use inet and flag it with vlan-tagging or use trunk for the multivlan untrust?

     

     



  • 4.  RE: Help! Configuring interface

    Posted 07-20-2011 16:18

    touruni,

     

    I'm not entirely clear on what you're trying to accomplish.

     

    Security policies are applied when routing decisions are made.  If you do not have a L3 routing interface on your untrust interface, then security policies will have no effect through your firewall.  If all you want to do is switch your 2 VLANs for "servers" and "trust", then you'd be much better off with switch than an SRX firewall.

     

    Putting the ge-0/0/0.0 interface into family ethernet-switching and port-mode trunk allows for "multivlan", however the SRX doesn't quite work that way.

     

    You need a L3 interface on your untrust link, otherwise no security is applied.

     

    Perhaps you could post your ScreenOS config that you're trying to mimic so we can get a clearer idea of what you're looking for.



  • 5.  RE: Help! Configuring interface

    Posted 07-20-2011 20:56

    Hi keithr:

     

    Thanks for the information. I've been reading quite a bit of the manuals starting from the basics in the fast track series for the srx but i'm still very new to it. I only need help with the interface configuration and am greatly appreciative! I've attached the netscreen configuration that i'm trying to migrate. For obvious reasons i've removed a lot of the unnecessary entries.

     

    Essentially i'm just trying to configure my srx so that it'll take the multivlan (untrust) and assign each vlan from the untrust to individual interfaces, where each one will be going to a switch for hosts to connect to. The thing i'm having a hard time with is handling the untrust multivlan, there doesn't appear to be example configs on how to handle that. 

     

    Using my home ISP, its easy to just connect and even use the wizard. But the J-web wizard doesn't accommodate untrust multivlan, at least not when i tried. Then again maybe i'm looking at this all wrong and my head in some twilight zone. I could be making some very bad assumptions about how i think it should work. The configuration file should shed some light on how we got it configured and how we want it to mimic on the SRX.

     

    Thanks much for your help!



  • 6.  RE: Help! Configuring interface

    Posted 07-21-2011 12:00

    If you're not routing here, and want the VLANs that are coming in tagged from the SP to be the same L2 domain as the two VLANs you're assigning to the access ports, you need to be in transparent mode, which isn't supported on your platform yet. 



  • 7.  RE: Help! Configuring interface
    Best Answer

    Posted 07-21-2011 12:18

    Errr okay, after talking to you in IRC and finding out that your SP is not doing any sort of "multivlan", and just doing simple routing, here is a config that will work (lacking your security policies, of course):

    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 192.168.249.194/30;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    port-mode access;
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    port-mode access;
                }
            }
        }
        vlan
    	unit 10 {
    	    family inet {
    		address 192.168.194.126/26
    	    }
        	}
    	unit 20 {
    	    family inet {
    		address 192.168.121.254/24
    	    }
        	}
        }
    }
    routing-options {
       static {
    	route 0.0.0.0/0 next-hop 192.168.249.193;
       }
    }
    vlans {
        vlan-servers {
            description vlan-servers;
            vlan-id 10;
            interface {
                ge-0/0/1.0;
            }
            l3-interface vlan.10;
        }
        vlan-trust {
            description vlan-trust;
            vlan-id 20;
            interface {
                ge-0/0/2.0;
            }
            l3-interface vlan.20;
        }
    }

    Also made this:



  • 8.  RE: Help! Configuring interface

    Posted 07-22-2011 10:59

    Thanks IPv6Freely:

     

    I will tests the config and see if it works!

     

     



  • 9.  RE: Help! Configuring interface

    Posted 07-20-2011 11:58

    So from your design you need ge-0/0/0 to be a trunk port to pass other vlan's across the untrust interface correct ?

     

    Do you want just layer 2 vlan information to be passed or do you need RVI's/layer3 information ?

     

    because in your configuration has RVI's configured with no layer 3 information and wrong vlan numbers.

     

    another then for the server/vlan and trust vlan are you connecting them to host or switches ? Because you have the ports configured as access ports .

     

    WAN 

    ---------- (2 vlan - untrust ge0/0/0) ----> [ Juniper SRX 210H]

                                                                               |                     |

                                                                               |                     |

                                                                               |                     |

                                            (server vlan ge-0/0/1)                (trust vlan ge-0/0/2)

     

     

     

     

    vlans {
        vlan-servers {
            description vlan-servers;
            vlan-id 2;
            interface {
                ge-0/0/1.0;
            }
            l3-interface vlan.1;
        }
        vlan-trust {
            description vlan-trust;
            vlan-id 3;
            l3-interface vlan.0;

     

     

     

     

     

    interfaces {
        ge-0/0/0 {
            unit 0 {
                family ethernet-switching {
                    port-mode trunk;
                    vlan {
                        members [ vlan-servers vlan-trust default ];
                    }
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    port-mode access;
                    vlan {
                        members vlan-servers;
                    }
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    port-mode access;
                    vlan {
                        members vlan-trust;



  • 10.  RE: Help! Configuring interface

    Posted 07-20-2011 13:13

    kontra:

     

    So from your design you need ge-0/0/0 to be a trunk port to pass other vlan's across the untrust interface correct ? 

    That's correct! ge-0/0/0 (multivlan) will be untrust.

     

    Do you want just layer 2 vlan information to be passed or do you need RVI's/layer3 information ?

    This would be layer 2 since it will be connecting to a switch

     

    another then for the server/vlan and trust vlan are you connecting them to host or switches ?

    The vlans coming from untrust will be going to an trust interface respectively, for each vlan.

     

     

    I used trunk as the untrust, since i read that it is used for carrying multiple vlans. And access ports to be used for individual vlan. Thanks!