Ask the Expert

  • 1.  SRX220 - Configure copper ports for Network Access

    Posted 02-26-2021 11:47

    Hello,

     

    I work on various firewalls though I have not worked to much on these Juniper SRX's.  

     

    I am trying to get port GE-0/0/5 to be part of the same network as PORT GE-0/0/1 so what ever I plug into port GE-0/0/5 it gets the DHCP address from the DHCP scope 192.168.XXX.0/24, then uses 192.168.XXX.1 as its gateway and goes out internet on port GE-0/0/0.   Just like a regular old router..   or what I call a Bridge Port on a another router brand I work with.

     

    Could someone please assist me with this configuration?  I believe I have all pertinent information below.

     

    Currently I have the following configuring's on my interfaces:

     

       dhcp {

                pool 192.168.XXX.0/24 {

                    address-range low 192.168.XXX.2 high 192.168.XXX.100;

                    name-server {

                        8.8.8.8;

                    }

                    router {

                        192.168.XXX.1;

                    }

                }

                pool 192.168.YYY.0/24 {

                    address-range low 192.168.YYY.2 high 192.168.YYY.200;

                    name-server {

                        8.8.8.8;

                    }

                    router {

                        192.168.YYY.1;

                    }

                    option 156 string "ftpservers=IP_address, country=1, language=1";

                }

            }

        }

     ge-0/0/0 {

            unit 0 {

                family inet {

                    address XXX.XXX.XXX.XXX/XX;    (public address)

                }

            }

        }

        ge-0/0/1 {

            unit 0 {

                family inet {

                    address 192.168.168.1/24;

                }

            }

        }

       ge-0/0/5 {

            unit 0 {

                family inet {

                    dhcp;

                }

            }

    zones {

            security-zone Internal {

                interfaces {

                    ge-0/0/1.0 {

                        host-inbound-traffic {

                            system-services {

                                ping;

                                dhcp;

                                http;

                                https;

                                ssh;

                                telnet;

                            }

                        }

                    }

                    ge-0/0/2.0 {

                        host-inbound-traffic {

                            system-services {

                                ping;

                            }

                        }

                    }

                    ge-0/0/4.0;

                    ge-0/0/7.0;

                    ge-0/0/6.0;

                    ge-0/0/5.0;

                }

            }

            security-zone Internet {

                host-inbound-traffic {

                    system-services {

                        ike;

                    }

                }

                interfaces {

                    ge-1/0/0.0 {

                        host-inbound-traffic {

                            system-services {

                                all;

                                https;

                            }

                        }

                    }

                    ge-0/0/0.0;

                }

            }

            security-zone Intercom {

                interfaces {

                    ge-0/0/2.51 {

                        host-inbound-traffic {

                            system-services {

                                ping;

                            }

                        }

                    }

                }

            }

            security-zone VPN;

        }

    }



    ------------------------------
    SCHUYLER SANDNES
    ------------------------------


  • 2.  RE: SRX220 - Configure copper ports for Network Access

    Posted 02-28-2021 12:19
    When you want multiple interfaces to share the same layer two domain like this you create a bridge for the vlan.
    The physical interfaces are layer 2.
    The layer 3 gateway is a virtual interface called irb (intgrated routing and bridging)
    Only the layer 3 interface is added to the zone

    sample
    set interfaces irb unit 0 family inet address 192.168.168.1/24​
    set security zones security-zone internal interfaces irb.0
    set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-internal
    set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-internal
    set vlans vlan-internal vlan-id 3
    set vlans vlan-internal l3-interface irb.0
    vlan name and id can be whatever makes sense in your environment

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------