SRX

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  BRANCH SRX Default VLAN?

    Posted 08-22-2013 06:26

    Although it's been taught that the Junos doesn't have a native vlan (i.e. unlike its competitor Cisco) --- I've noticed that there is a "VLAN-ID 3" present on several Branch series SRX devices (such as 100B and 210 model). 

     

    I understand that there are security policies/zones present by default on the branch series, but why does Juniper claim there isn't a default/native VLAN ... if "VLAN-ID 3" exists in the configuration??? That's incredibly confusing, and if anyone can clarify I'd be greatly appreciative. 

     

     

     

    Thanks!

     

    Jesse 

    JNCIA, JNCIS-SEC

     



  • 2.  RE: BRANCH SRX Default VLAN?

     
    Posted 08-22-2013 07:22

    I reckon you should see this with factory default loaded configuration.

    This should be sample configuration for quick start usage of SRX appliance.

    When you delete factory default configuration, you should not see any vlan id(it is not the case in Cisco)

     

    Regards,

    Raveen



  • 3.  RE: BRANCH SRX Default VLAN?
    Best Answer

    Posted 08-22-2013 07:24

    Well it is really a semantics issue. The native vlan came out of the Cisco world. In the world of Juniper there is no native vlan. There are "default" configurations for all of the various Juniper devices. The default config for a branch SRX incudes a vlan labeled "trust" with the vlan-id 3. 

     

    So it is a vlan that is explicity defined in the "default" configuration for that box. In other Juniper device the default config does not inlcude any defined VLANS.

     

    In the world of Cisco the native VLAN is just there on box, always. Hope that provides clarification for you. 


    #is


  • 4.  RE: BRANCH SRX Default VLAN?

    Posted 08-22-2013 08:29

    Clear and concise. Exact answer I was looking for. Thanks for speedy post. 

     

    -Jesse- 



  • 5.  RE: BRANCH SRX Default VLAN?

    Posted 08-22-2013 07:29

    A Cisco "native VLAN" is the VLAN which is carried untagged over an 802.1q trunk. By default, it is enabled, and is VLAN 1.

     

    With Junos, if you want an untagged VLAN on an 802.1q trunk, you need to specify native-vlan-id, and there's no particular default VLAN ID for that.



  • 6.  RE: BRANCH SRX Default VLAN?

    Posted 08-22-2013 07:48

    The EX seriies switch do not have a default vlan-id (at lest not shown when you run the command >show vlans. The branch SRX on the other hand, the default configuration has a default vlan-id of 1. Canyou post the out[uts from the SRX that show the deault vlan-id 3? All the systems will have internal interfaces, policers, and posibly vlans for internal communication within the device itself which should not be confused with user options.

    can you show the output of >show vlans default from at least two of the devices?



  • 7.  RE: BRANCH SRX Default VLAN?

    Posted 08-22-2013 08:14

    Actually ... the Branch series SRX does in fact ship with VLAN-ID 3 ... not vlan-id 1. 

     

    Muttbarker has provided clarity on this in his post above. Please refer to it for the acceptable solution. 

     

     

    Please don't take offense, as words can be very flat, even condescending at times. I just wanted to make sure all were informed of the correct solution. I've also politely posted the code of a factory config below ... so you can see where vlan-id 3 is defined (see highlighted). 

     

     

    root# show | display set
    set version 11.2R4.3
    set system autoinstallation delete-upon-commit
    set system autoinstallation traceoptions level verbose
    set system autoinstallation traceoptions flag all
    set system autoinstallation interfaces fe-0/0/0 bootp
    set system root-authentication encrypted-password "$1$2fLcMAQt$.HfDeZumIFt7RfaJkHKA4."
    set system name-server 208.67.222.222
    set system name-server 208.67.220.220
    set system services ssh
    set system services telnet
    set system services xnm-clear-text
    set system services web-management http interface vlan.0
    set system services web-management https system-generated-certificate
    set system services web-management https interface vlan.0
    set system services dhcp router 192.168.1.1
    set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
    set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
    set system services dhcp propagate-settings fe-0/0/0.0
    set system syslog archive size 100k
    set system syslog archive files 3
    set system syslog user * any emergency
    set system syslog file messages any critical
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands error
    set system max-configurations-on-flash 5
    set system max-configuration-rollbacks 5
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set interfaces fe-0/0/0 unit 0
    set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces vlan unit 0 family inet address 192.168.1.1/24
    set protocols stp
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security nat source rule-set trust-to-untrust from zone trust
    set security nat source rule-set trust-to-untrust to zone untrust
    set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
    set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces vlan.0
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
    set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
    set vlans vlan-trust vlan-id 3
    set vlans vlan-trust l3-interface vlan.0

     

     

     

     

    Thanks!

     

    Jesse