Avum_David:
Here is a simple design and some suggestions for implementation.
3 VLANs:
ID | Description | IP Subnet
| |
10 | Network Management | 192.168.222.0/26
30 | Voice | 192.168.222.128/26
40 | Data | 192.168.222.192/26
Notice that VLAN 20 is left open (192.168.222.64/26). This is for future growth should you need it, and it keeps your other 3 subnets the same size and using the address ranges you previously specified.
/26 subnets means your subnet mask will be 255.255.255.192
You will configure the 3 VLANs on your SRX with l3-interfaces:
vlans {
network-devices {
description "Network Device Management";
vlan-id 10;
l3-interface vlan.10;
}
voice {
description "Voice";
vlan-id 30;
l3-interface vlan.30;
}
data {
description "Data";
vlan-id 40;
l3-interface vlan.40;
}
}
Your L3 interfaces on the SRX could look something like this:
interfaces {
vlan {
unit 10 {
description "Network Device Management";
family inet {
address 192.168.222.1/26;
}
}
unit 30 {
description "Voice";
family inet {
address 192.168.222.129/26;
}
}
unit 40 {
description "Data";
family inet {
address 192.168.222.193/26;
}
}
}
}
You can leave your default static route configured in the SRX.
Here's a start for your DHCP pools (configured on the SRX😞
dhcp {
pool 192.168.222.128/26 {
address-range low 192.168.222.130 high 192.168.222.190;
router {
192.168.222.129;
}
propagate-settings ge-0/0/0.0;
}
pool 192.168.222.192/26 {
address-range low 192.168.222.194 high 192.168.222.254;
router {
192.168.222.193;
}
propagate-settings ge-0/0/0.0;
}
}
I would suggest you put the 3 VLANs into separate security zones, this is a starting point but you'll probably want to tweak it (configured on the SRX😞
zones {
security-zone network-management {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.10;
}
}
security-zone voice {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.30;
}
}
security-zone data {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.40;
}
}
}
From there, if you fully trust your internal networks, you can configure simple any/any/permit policies between the zones. You should probably restrict the network management zone so that you can easily control who can SSH to devices, etc. You can also now create proper policies so that, for example, your data network can get to the Internet (from-zone data to-zone untrust), but your phones and network devices probably shouldn't be doing so. Or maybe just in very controlled cases, etc.
On your EX, remove your L3 interfaces for VLANs 30 and 40 (after you re-number the VLANs and clean up the configs). Keep an L3 interface for VLAN 10, since that will be used for device management. Optionally, you can of course use the me0 management interface, but I'll leave that as an exercise for you to read up on if you decide to go that route.
Your EX config would look like this (relevant parts, of course):
interfaces {
vlan {
unit 10 {
description "Network Device Management";
family inet {
address 192.168.222.2/26;
}
}
}
ge-0/0/23 {
unit 0 {
family ethernet-switching {
port-mode trunk;
}
}
}
}
[ ... ]
vlans {
voice {
description "Voice";
vlan-id 30;
interface {
ge-0/0/0.0;
ge-0/0/1.0;
ge-0/0/2.0;
ge-0/0/3.0;
ge-0/0/4.0;
ge-0/0/5.0;
ge-0/0/6.0;
ge-0/0/7.0;
ge-0/0/8.0;
ge-0/0/9.0;
ge-0/0/10.0;
ge-0/0/11.0;
ge-0/0/23.0;
}
}
data {
description "Data";
vlan-id 40;
interface {
ge-0/0/12.0;
ge-0/0/13.0;
ge-0/0/14.0;
ge-0/0/15.0;
ge-0/0/16.0;
ge-0/0/17.0;
ge-0/0/18.0;
ge-0/0/19.0;
ge-0/0/20.0;
ge-0/0/21.0;
ge-0/0/22.0;
ge-0/0/23.0;
}
}
network-devices {
description "Network Device Management";
vlan-id 10;
interface {
ge-0/0/23.0;
}
l3-interface vlan.10;
}
}
All 3 VLANs will be trunked (making sure the IDs match across devices) between your SRX and EX. Keep your EX's default route pointed to your SRX.
I've noticed that you were doing VLAN assignement in different ways on your EX vs. the SRX, and also you were using both methods on the EX itself. It's easier to stick with one or the other, whichever is your preference. If you look at the EX config above, I moved everything for your VLAN config into the vlan { } configuration stanza. Note how all 3 VLANs on the EX are configured with interface ge-0/0/23.0 -- that's your trunk port and the configuration for that interface was cleaned up to simply set it as a trunk port.
You were using the other method, configuring VLANs under each interface's configuration stanza, on your SRX, so I kept that method on the SRX. On the SRX, the trunk port will look like this:
interfaces {
fe-0/0/7 {
description "Trunk to EX";
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ network-devices voice data ];
}
}
}
}
}
You do not need to do any DHCP relay or anything on the EX. Remove the DHCP configuration on your EX completely (delete system services dhcp).
That should get you started. I may have missed a point or two, but this is a basic primer and should get you in the right direction. Be sure you pay attention to subnet masks and proper / usable IP addresses within each subnet. Post your questions here after you start over as outlined here and we can help you further if needed.
Remember that you'll need to go through the configurations for both devices and clean up all the VLAN numbers and make sure they're corrected everywhere, and any other housekeeping that might need to be done.