SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX setup for a Newbie

    Posted 10-31-2022 13:51

    Hi Guys,

    I am brand new to Juniper so any help would be muchly appreciated! I am in the process of adding in a Juniper SRX340 firewall into a new network setup made up of TP-Link Switches. I have attached the current config below. The firewall config doesn't need to be anything too fancy for now but the only thing is needed is 2/3 different VLANS set up so I can segregate a few different customers on site. Port ge-0/0/0 is currently going into a TP-Link (home) router and interface ge-0/0/1 would be going into the switch. Ideally the DHCP would come from the SRX, and I can tag the VLANS down to the switch through interface ge-0/0/1.

    root@SRX-Plaza> show configuration

    ## Last commit: 2022-10-31 10:59:55 UTC by root

    version 20.2R3-S2.5;

    system {

        host-name SRX-Plaza;

        root-authentication {

            encrypted-password "$6$OS4JRvML$aYgwq8TjZOr76LhFglFYe1WLpv5XhTNdL5FhtxUTvYUoU14rJXd1rrnJriP35RQ.hm56gjzDkfLOz3CC49lJg."; ## SECRET-DATA

        }

        services {

            ssh;

            netconf {

                ssh;

            }

            dhcp-local-server {

                group jdhcp-group {

                    interface fxp0.0;

                    interface irb.0;

                }

            }

            web-management {

                https {

                    system-generated-certificate;

                    interface ge-0/0/0.0;

                }

            }

        }

        name-server {

            8.8.8.8;

            8.8.4.4;

        }

        syslog {

            archive size 100k files 3;

            user * {

                any emergency;

            }

            file messages {

                any notice;

                authorization info;

            }

            file interactive-commands {

                interactive-commands any;

            }

        }

        max-configurations-on-flash 5;

        max-configuration-rollbacks 5;

        license {

            autoupdate {

                url https://ae1.juniper.net/junos/key_retrieval;

            }

        }

        phone-home {

            server https://redirect.juniper.net;

            rfc-compliant;

        }

    }

    security {

        screen {

            ids-option untrust-screen {

                icmp {

                    ping-death;

                }

                ip {

                    source-route-option;

                    tear-drop;

                }

                tcp {

                    syn-flood {

                        alarm-threshold 1024;

                        attack-threshold 200;

                        source-threshold 1024;

                        destination-threshold 2048;

                        timeout 20;

                    }

                    land;

                }

            }

        }

        nat {

            source {

                rule-set trust-to-untrust {

                    from zone trust;

                    to zone untrust;

                    rule source-nat-rule {

                        match {

                            source-address 0.0.0.0/0;

                        }

                        then {

                            source-nat {

                                interface;

                            }

                        }

                    }

                }

            }

        }

        policies {

            from-zone trust to-zone trust {

                policy trust-to-trust {

                    match {

                        source-address any;

                        destination-address any;

                        application any;

                    }

                    then {

                        permit;

                    }

                }

            }

            from-zone trust to-zone untrust {

                policy trust-to-untrust {

                    match {

                        source-address any;

                        destination-address any;

                        application any;

                    }

                    then {

                        permit;

                    }

                }

            }

        }

        zones {

            security-zone trust {

                host-inbound-traffic {

                    system-services {

                        all;

                    }

                    protocols {

                        all;

                    }

                }

                interfaces {

                    irb.0;

                    irb.10;

                    irb.20;

                }

            }

            security-zone untrust {

                screen untrust-screen;

                interfaces {

                    ge-0/0/0.0 {

                        host-inbound-traffic {

                            system-services {

                                dhcp;

                                tftp;

                                https;

                                ping;

                            }

                        }

                    }

                    ge-0/0/15.0 {

                        host-inbound-traffic {

                            system-services {

                                dhcp;

                                tftp;

                            }

                        }

                    }

                    dl0.0 {

                        host-inbound-traffic {

                            system-services {

                                tftp;

                            }

                        }

                    }

                }

            }

        }

    }

    interfaces {

        ge-0/0/0 {

            unit 0 {

                family inet {

                    address 192.168.1.252/24;

                }

            }

        }

        ge-0/0/1 {

            unit 0 {

                family ethernet-switching {

                    interface-mode trunk;

                    vlan {

                        members [ vlan-trust vlan.10 vlan.20 ];

                    }

                }

            }

        }

        ge-0/0/2 {

            unit 0 {

                family ethernet-switching {

                    vlan {

                        members vlan-trust;

                    }

                }

            }

        }

        ge-0/0/3 {

            unit 0 {

                family ethernet-switching {

                    vlan {

                        members vlan-trust;

                    }

                }

            }

        }

        ge-0/0/4 {

            unit 0 {

                family ethernet-switching {

                    vlan {

                        members vlan-trust;

                    }

                }

            }

        }

        ge-0/0/5 {

            unit 0 {

                family ethernet-switching {

                    vlan {

                        members vlan-trust;

                    }

                }

            }

        }

        ge-0/0/6 {

            unit 0 {

                family ethernet-switching {

                    vlan {

                        members vlan-trust;

                    }

                }

            }

        }

        ge-0/0/7 {

            unit 0 {

                family ethernet-switching {

                    vlan {

                        members vlan-trust;

                    }

                }

            }

        }

        ge-0/0/8 {

            unit 0 {

                family ethernet-switching {

                    vlan {

                        members vlan-trust;

                    }

                }

            }

        }

        ge-0/0/9 {

            unit 0 {

                family ethernet-switching {

                    vlan {

                        members vlan-trust;

                    }

                }

            }

        }

        ge-0/0/10 {

            unit 0 {

                family ethernet-switching {

                    vlan {

                        members vlan-trust;

                    }

                }

            }

        }

        ge-0/0/11 {

            unit 0 {

                family ethernet-switching {

                    vlan {

                        members vlan-trust;

                    }

                }

            }

        }

        ge-0/0/12 {

            unit 0 {

                family ethernet-switching {

                    vlan {

                        members vlan-trust;

                    }

                }

            }

        }

        ge-0/0/13 {

            unit 0 {

                family ethernet-switching {

                    vlan {

                        members vlan-trust;

                    }

                }

            }

        }

        ge-0/0/14 {

            unit 0 {

                family ethernet-switching {

                    vlan {

                        members vlan-trust;

                    }

                }

            }

        }

        ge-0/0/15 {

            unit 0 {

                family inet {

                    dhcp {

                        vendor-id Juniper-srx340;

                    }

                }

            }

        }

        cl-1/0/0 {

            dialer-options {

                pool 1 priority 100;

            }

        }

        dl0 {

            unit 0 {

                family inet {

                    negotiate-address;

                }

                family inet6 {

                    negotiate-address;

                }

                dialer-options {

                    pool 1;

                    dial-string 1234;

                    always-on;

                }

            }

        }

        fxp0 {

            unit 0 {

                family inet {

                    address 192.168.1.1/24;

                }

            }

        }

        irb {

            unit 0 {

                family inet {

                    address 192.168.2.1/24;

                }

            }

            unit 10 {

                family inet {

                    address 192.168.10.1/24;

                }

            }

            unit 20 {

                family inet {

                    address 192.168.20.1/24;

                }

            }

        }

    }

    access {

        address-assignment {

            pool junosDHCPPool1 {

                family inet {

                    network 192.168.1.0/24;

                    range junosRange {

                        low 192.168.1.2;

                        high 192.168.1.254;

                    }

                    dhcp-attributes {

                        router {

                            192.168.1.1;

                        }

                        propagate-settings ge-0/0/0.0;

                    }

                }

            }

            pool junosDHCPPool2 {

                family inet {

                    network 192.168.2.0/24;

                    range junosRange {

                        low 192.168.2.2;

                        high 192.168.2.254;

                    }

                    dhcp-attributes {

                        router {

                            192.168.2.1;

                        }

                        propagate-settings ge-0/0/0.0;

                    }

                }

            }

        }

    }

    vlans {

        vlan-trust {

            vlan-id 3;

            l3-interface irb.0;

        }

        vlan.10 {

            vlan-id 10;

            l3-interface irb.10;

        }

        vlan.20 {

            vlan-id 20;

            l3-interface irb.20;

        }

    }

    protocols {

        l2-learning {

            global-mode switching;

        }

        rstp {

            interface all;

        }

    }

    routing-options {

        static {

            route 0.0.0.0/0 next-hop 192.168.1.1;

    James



    ------------------------------
    JAMES DAVIES
    ------------------------------


  • 2.  RE: SRX setup for a Newbie

     
    Posted 10-31-2022 21:29
    Hi James, 

    The config what you have shared i guess is the factory default config, 
    As far as i understand your setup you would need just two interfaces,  on the interface which connects to the switch, you would have to enable vlan tagging where you can assign vlan for different interface units. here the interface where you would tag the vlan would act as trunk.  so the switchport which connects would have to configured as trunk port as well. 

    Example: 

    set interfaces ge-0/0/1 vlan-tagging
    set interfaces ge-0/0/1 unit 0 vlan-id 10
    set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24
    set interfaces ge-0/0/1 unit 1 vlan-id 11
    set interfaces ge-0/0/1 unit 1 family inet address 192.168.2.1/24

    set security zones security-zone Inside interfaces ge-0/0/1 host-inbound-traffic system-services all

    Also configure security policies to allow the traffic from internal zone to external.

    Please refer doc's below:
    https://supportportal.juniper.net/s/article/SRX-Getting-Started-Configure-Interfaces-and-Security-Zones?language=en_US
    DHCP:
    https://supportportal.juniper.net/s/article/SRX-Getting-Started-Configure-DHCP-Server

    Regards,
    Brijil

    ------------------------------
    Brijil R
    ------------------------------



  • 3.  RE: SRX setup for a Newbie

    Posted 11-01-2022 05:52
    So this is what I have configured this morning.  I am intending to plug our switch into port ge-0/0/1, set it up as a trunk port so that both VLAN10 and VLAN20 can come down to the switch level and both get their different IP ranges from the Juniper. Is this possible?

    zones {
    security-zone trust {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    irb.0;
    ge-0/0/1.0 {
    host-inbound-traffic {
    system-services {
    all;
    }
    }
    }
    ge-0/0/1.1 {
    host-inbound-traffic {
    system-services {
    all;

    interfaces {
    ge-0/0/0 {
    unit 0 {
    family inet {
    address 192.168.1.252/24;
    }
    }
    }
    ge-0/0/1 {
    vlan-tagging;
    unit 0 {
    vlan-id 10;
    family inet {
    address 192.168.10.1/24;
    }
    }
    unit 1 {
    vlan-id 20;
    family inet {
    address 192.168.20.1/24;
    }
    }
    }

    pool vlan10DHCPpool {
    family inet {
    network 192.168.10.0/24;
    range vlan10range {
    low 192.168.10.11;
    high 192.168.10.254;
    }
    dhcp-attributes {
    router {
    192.168.10.1;
    }
    propagate-settings ge-0/0/1.0;
    }
    }
    }
    pool vlan20DHCPpool {
    family inet {
    network 192.168.20.0/24;
    range vlan20range {
    low 192.168.20.11;
    high 192.168.20.254;
    }
    dhcp-attributes {
    router {
    192.168.20.1;
    }
    propagate-settings ge-0/0/1.1;

    ------------------------------
    JAMES DAVIES
    ------------------------------



  • 4.  RE: SRX setup for a Newbie

    Posted 11-01-2022 06:37
    Edited by spuluka 11-01-2022 06:38
    I think you are trying to have the gateway on the SRX and a trunk port with the vlans to the switch.

    If that is the case, you would do the following steps.

    • Create irb unit number with the gateway addresses
    • Create the vlans for each subnet and add the irb interface to the vlan as the layer 3 interface
    • Create the interface to the switch as a trunk port with each vlan added to it
    • Add the irb interfaces to the appropriate security zone


    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: SRX setup for a Newbie

    Posted 11-01-2022 06:44
    That's exactly right.  In that case then shall I delete the VLAN tagging?

    ge-0/0/1 {
    vlan-tagging;
    unit 0 {
    vlan-id 10;
    family inet {
    address 192.168.10.1/24;
    }
    }
    unit 1 {
    vlan-id 20;
    family inet {
    address 192.168.20.1/24;

    ------------------------------
    JAMES DAVIES
    ------------------------------



  • 6.  RE: SRX setup for a Newbie

    Posted 11-01-2022 07:09
    Is that what you think it should look like?

    zones {
    security-zone trust {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    irb.0;
    irb.10;
    irb.20;


    ge-0/0/1 {
    unit 0 {
    family ethernet-switching {
    interface-mode trunk;
    vlan {
    members [ Plaza-Staff Plaza-Spare ];

    irb {
    unit 0 {
    family inet {
    address 192.168.2.1/24;
    }
    }
    unit 10 {
    family inet {
    address 192.168.10.1/24;
    }
    }
    unit 20 {
    family inet {
    address 192.168.20.1/24;

    vlans {
    Plaza-Spare {
    vlan-id 20;
    l3-interface irb.20;
    }
    Plaza-Staff {
    vlan-id 10;
    l3-interface irb.10;
    }
    vlan-trust {
    vlan-id 3;
    l3-interface irb.0;

    ------------------------------
    JAMES DAVIES
    ------------------------------



  • 7.  RE: SRX setup for a Newbie

    Posted 11-01-2022 10:48
    That looks good. The vlan tags are assigned to the interface via the list of vlan names are you have it all on unit 0 for the trunk port.

    Also note that irb interfaces will only come to the up/up status when at least one physical interface assigned to the vlan is up/up.  So if the trunk port in this case goes up/down the irb interfaces associated will also be up/down.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 8.  RE: SRX setup for a Newbie

    Posted 11-01-2022 11:44

    I've decided to re-think my whole approach so I'm sorry for the multiple questions but the way I want it to work now would be int ge-0/0/1 to have VLAN 10 on it, with the gateway address being on the SRX (192.168.10.1) and also to distribute DHCP address to device on VLAN10 of my switch. I'll uplink a port of the switch and give interface VLAN10 an ip on the same range probably (192.168.20.4).

     I would want the same configuration enabled for ge-0/0/2 but to be VLAN 20 (192.168.20.1) and then I will have 2 separate uplinks from the SRX to my LAN. This is what I've got so far but not too sure if I'm close or miles off. I've only attached the relevant config for this.

        ge-0/0/1 {

            unit 0 {

                family ethernet-switching {

                    vlan {

                        members Plaza-Staff;

                    }

                }

            }

        }

        ge-0/0/2 {

            unit 0 {

                family ethernet-switching {

                    vlan {

                        members Plaza-Spare;

        irb {

            unit 0 {

                family inet {

                    address 192.168.2.1/24;

                }

            }

            unit 10 {

                family inet {

                    address 192.168.10.1/24;

                }

            }

            unit 20 {

                family inet {

                    address 192.168.20.1/24;

    access {

        address-assignment {

            pool vlan10DHCPpool {

                family inet {

                    network 192.168.10.0/24;

                    range vlan10range {

                        low 192.168.10.11;

                        high 192.168.10.254;

                    }

                    dhcp-attributes {

                        router {

                            192.168.10.1;

                        }

                        propagate-settings irb.10;

                    }

                }

            }

            pool vlan20DHCPpool {

                family inet {

                    network 192.168.20.0/24;

                    range vlan20range {

                        low 192.168.20.11;

                        high 192.168.20.254;

                    }

                    dhcp-attributes {

                        router {

                            192.168.20.1;

                        }

                        propagate-settings irb.20;

    vlans {

        Plaza-Spare {

            vlan-id 20;

            l3-interface irb.20;

        }

        Plaza-Staff {

            vlan-id 10;

            l3-interface irb.10;

        }

        vlan-trust {

            vlan-id 3;

            l3-interface irb.0;



    ------------------------------
    JAMES DAVIES
    ------------------------------



  • 9.  RE: SRX setup for a Newbie

    Posted 11-01-2022 18:58
    For the dhcp you probably want to also include handing out the dns server addresses you want clients to use too.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------