SRX

All all,

When typing show security flow status, output says that SRX320 (branch level) is in packet mode.  I checked the current configuration and there is no any "delete security" statement. Secondly when typing sh security flow session, there is a high number of active sessions/flow occurs. If the SRX is in packet mode, why there is a flow sessions?

Second question is how to check current license on srx320  to make sure it is covered dynamic routing eBGP whilst the ebgp up and running without issus.

Another question is clients and IPphone are directly connected to Cisco switch and the switch directly connected via trunk port to srx320.  All L3 vlans sit on srx320.  On the LAN. the following there are.

 -Vlan100  -192.168.64/28

 -Vlan200  -192.168.80/28

 -Vlan300  -192.168.96/28

  -Vlan50 -10.10.50.0/24

We want to make Vlan100 restrict.  No any IP from other subnets should communicate  with any client(s) from the Vlan100, so Vlan100 has to be isolated. only they can communicate with specific servers at the data center.  how to achieve this case on the Srx320?

Thanks

A.

Hello Arix,

1. Can you share the entire output of "show security flow status" because it should not show "packet-mode" and have sessions at the same time?  Note that the SRX will act as packet-mode based on family (IPv4 or IPv6 etc.) As far as configuration is concerned, I would expect the line "set security forwarding-options family mpls mode packet-based" to be present for it to be acting as packet mode for IPv4 traffic.
2. On SRX devices, you do NOT need any licenses for running BGP (either External or Internal).  Having said that , you can use the following command to check all licenses on a SRX device : "show system license " .
3. If the requirement is to only allow selective traffic across vlan100 to other vlans, I would suggest you to keep the L3 interface with vlan 100 in a separate zone than others and then configure the security policies to only permit the communication with specific servers only.

Hope this helps!

All all,

When typing show security flow status, output says that SRX320 (branch level) is in packet mode.  I checked the current configuration and there is no any "delete security" statement. Secondly when typing sh security flow session, there is a high number of active sessions/flow occurs. If the SRX is in packet mode, why there is a flow sessions?

Second question is how to check current license on srx320  to make sure it is covered dynamic routing eBGP whilst the ebgp up and running without issus.

Another question is clients and IPphone are directly connected to Cisco switch and the switch directly connected via trunk port to srx320.  All L3 vlans sit on srx320.  On the LAN. the following there are.

 -Vlan100  -192.168.64/28

 -Vlan200  -192.168.80/28

 -Vlan300  -192.168.96/28

  -Vlan50 -10.10.50.0/24

We want to make Vlan100 restrict.  No any IP from other subnets should communicate  with any client(s) from the Vlan100, so Vlan100 has to be isolated. only they can communicate with specific servers at the data center.  how to achieve this case on the Srx320?

Thanks

A.

Hi TheDisciple,

Thanks for the reply.

1-) When I saw your reply, I re-double checked  and yes it had been in not packet mode....My mistake...Sorry about that.....I think you are right about what you pointed in your post....... am I right? Here the output...

> show security flow status   Flow forwarding mode:    Inet forwarding mode: flow based    Inet6 forwarding mode: drop    MPLS forwarding mode: drop    ISO forwarding mode: drop    Tap mode: disabled (default)    Enhanced route scaling mode: Disabled  Flow trace status    Flow tracing status: off  Flow session distribution    Distribution mode: RR-based    GTP-U distribution: Disabled    SCTP distribution: Enabled  Flow ipsec performance acceleration: off  Flow gre performance acceleration: off  Flow packet ordering    Ordering mode: Hardware  Flow power mode: Disabled  Flow power mode IPsec: Disabled  Flow power mode IPsec QAT: Disabled  Fat core group status: off  Flow inline fpga crypto: Disabled

2-) It doesn't say any thing about eBGP license in the following? but the BGP up and running on the box.  And also how about ospf?

> show system license License usage:                                  Licenses     Licenses    Licenses    Expiry  Feature name                       used    installed      needed   remote-access-ipsec-vpn-client        0            2           0    permanent  remote-access-juniper-std             0            2           0    permanentLicenses installed: none

3-) 

Physical and logical topology:

All L3 logical interfaces for the vlans sit on Juniper device.  Non-Juniper switch is a L2

Vlan100|200|300|50| ----------->non-Juniper switch(L2 device)-------1xTrunk Port---------->JuniperF/w(L3 device)--------ebgp------>ISP---------->DataCenter

The vlan100 has about 20 clients. And we want to make sure that those 20 clients in Vlan100 can communicate each other in local and communicate the  a few  servers in datacenter but definitely not communicate with other vlans (200|300|50) locally and remotely with other location's clients... we want to restrictly  isolate the vlan100 . 

----If the security policy is a solution, what the security policy configuration it is needed in line with your suggestion? Any proposal conf?

----A part from the security policy, what another solution can be? Any idea?

 4-) In future when concerning to have own mpls, what limitation would be coming up with  currently srx320 is up and runnning in flow mode and additionally does mpls feature require any license?

Thx,

A.

Hello Arix,

1. Can you share the entire output of "show security flow status" because it should not show "packet-mode" and have sessions at the same time?  Note that the SRX will act as packet-mode based on family (IPv4 or IPv6 etc.) As far as configuration is concerned, I would expect the line "set security forwarding-options family mpls mode packet-based" to be present for it to be acting as packet mode for IPv4 traffic.
2. On SRX devices, you do NOT need any licenses for running BGP (either External or Internal).  Having said that , you can use the following command to check all licenses on a SRX device : "show system license " .
3. If the requirement is to only allow selective traffic across vlan100 to other vlans, I would suggest you to keep the L3 interface with vlan 100 in a separate zone than others and then configure the security policies to only permit the communication with specific servers only.

Hope this helps!

All all,

When typing show security flow status, output says that SRX320 (branch level) is in packet mode.  I checked the current configuration and there is no any "delete security" statement. Secondly when typing sh security flow session, there is a high number of active sessions/flow occurs. If the SRX is in packet mode, why there is a flow sessions?

Second question is how to check current license on srx320  to make sure it is covered dynamic routing eBGP whilst the ebgp up and running without issus.

Another question is clients and IPphone are directly connected to Cisco switch and the switch directly connected via trunk port to srx320.  All L3 vlans sit on srx320.  On the LAN. the following there are.

 -Vlan100  -192.168.64/28

 -Vlan200  -192.168.80/28

 -Vlan300  -192.168.96/28

  -Vlan50 -10.10.50.0/24

We want to make Vlan100 restrict.  No any IP from other subnets should communicate  with any client(s) from the Vlan100, so Vlan100 has to be isolated. only they can communicate with specific servers at the data center.  how to achieve this case on the Srx320?

Thanks

A.

Hi TheDisciple,

Thanks for the reply.

1-) When I saw your reply, I re-double checked  and yes it had been in not packet mode....My mistake...Sorry about that.....I think you are right about what you pointed in your post....... am I right? Here the output...

> show security flow status   Flow forwarding mode:    Inet forwarding mode: flow based    Inet6 forwarding mode: drop    MPLS forwarding mode: drop    ISO forwarding mode: drop    Tap mode: disabled (default)    Enhanced route scaling mode: Disabled  Flow trace status    Flow tracing status: off  Flow session distribution    Distribution mode: RR-based    GTP-U distribution: Disabled    SCTP distribution: Enabled  Flow ipsec performance acceleration: off  Flow gre performance acceleration: off  Flow packet ordering    Ordering mode: Hardware  Flow power mode: Disabled  Flow power mode IPsec: Disabled  Flow power mode IPsec QAT: Disabled  Fat core group status: off  Flow inline fpga crypto: Disabled

2-) It doesn't say any thing about eBGP license in the following? but the BGP up and running on the box.  And also how about ospf?

> show system license License usage:                                  Licenses     Licenses    Licenses    Expiry  Feature name                       used    installed      needed   remote-access-ipsec-vpn-client        0            2           0    permanent  remote-access-juniper-std             0            2           0    permanentLicenses installed: none

3-) 

Physical and logical topology:

All L3 logical interfaces for the vlans sit on Juniper device.  Non-Juniper switch is a L2

Vlan100|200|300|50| ----------->non-Juniper switch(L2 device)-------1xTrunk Port---------->JuniperF/w(L3 device)--------ebgp------>ISP---------->DataCenter

The vlan100 has about 20 clients. And we want to make sure that those 20 clients in Vlan100 can communicate each other in local and communicate the  a few  servers in datacenter but definitely not communicate with other vlans (200|300|50) locally and remotely with other location's clients... we want to restrictly  isolate the vlan100 . 

----If the security policy is a solution, what the security policy configuration it is needed in line with your suggestion? Any proposal conf?

----A part from the security policy, what another solution can be? Any idea?

 4-) In future when concerning to have own mpls, what limitation would be coming up with  currently srx320 is up and runnning in flow mode and additionally does mpls feature require any license?

Thx,

A.

Hello Arix,

1. Can you share the entire output of "show security flow status" because it should not show "packet-mode" and have sessions at the same time?  Note that the SRX will act as packet-mode based on family (IPv4 or IPv6 etc.) As far as configuration is concerned, I would expect the line "set security forwarding-options family mpls mode packet-based" to be present for it to be acting as packet mode for IPv4 traffic.
2. On SRX devices, you do NOT need any licenses for running BGP (either External or Internal).  Having said that , you can use the following command to check all licenses on a SRX device : "show system license " .
3. If the requirement is to only allow selective traffic across vlan100 to other vlans, I would suggest you to keep the L3 interface with vlan 100 in a separate zone than others and then configure the security policies to only permit the communication with specific servers only.

Hope this helps!

All all,

When typing show security flow status, output says that SRX320 (branch level) is in packet mode.  I checked the current configuration and there is no any "delete security" statement. Secondly when typing sh security flow session, there is a high number of active sessions/flow occurs. If the SRX is in packet mode, why there is a flow sessions?

Second question is how to check current license on srx320  to make sure it is covered dynamic routing eBGP whilst the ebgp up and running without issus.

Another question is clients and IPphone are directly connected to Cisco switch and the switch directly connected via trunk port to srx320.  All L3 vlans sit on srx320.  On the LAN. the following there are.

 -Vlan100  -192.168.64/28

 -Vlan200  -192.168.80/28

 -Vlan300  -192.168.96/28

  -Vlan50 -10.10.50.0/24

We want to make Vlan100 restrict.  No any IP from other subnets should communicate  with any client(s) from the Vlan100, so Vlan100 has to be isolated. only they can communicate with specific servers at the data center.  how to achieve this case on the Srx320?

Thanks

A.