Hi,

I'm very new to Juniper and networking in general, and am trying to learn how to set up VLAN across our juniper equipment.

The goal is to segment our office network into 4 VLANs: internal, guest, telephony, video streaming. We're using an SRX300 firewall and two EX2200 switches. Currently, we have succesfully configured the firewall and switch with the basic default vlan serving DHCP for a 192.168.0.0/20 subnet.

I spent today fruitlessly fiddling with both the switch and firewall trying to set up a trunk on ge0/0/4.0 to be used for (at the moment) 1 vlan, called Telephony with an ID of 101, which I have attempted to associate with a DHCP pool of 192.168.16.0/24.

On the EX2200, I configured one port as a trunk and added the same vlan ID, and configured another port as access for this vlan. I get a self-assigned IP when I connect to the port.

I don't fully understand how VLANs work, and I'm pretty sure part of the problem is that I'm assigning an IP (192.168.16.1/24) wherever it asks me what the IP address is for the VLAN, which is probably incorrect.

Here is the readout of the show configuration command for the SRX300:

version 15.1X49-D45;

system {

    host-name Mobifirewall;

    time-zone GMT-8;

    root-authentication {

        encrypted-password “blahblahblahblah"; ## SECRET-DATA

    }

    name-server {

        8.8.8.8;

        8.8.4.4;

        208.67.222.222;

        208.67.220.220;

    }

    name-resolution {

        no-resolve-on-input;

    }

    services {

        ssh;

        web-management {

            https {

                system-generated-certificate;

                interface ge-0/0/1.0;   

            }                           

            session {                   

                idle-timeout 60;        

            }                           

        }                               

        dhcp {                          

            router {                    

                192.168.1.1;            

                192.168.16.1;           

            }                           

            pool 192.168.0.0/20 {       

                address-range low 192.168.1.1 high 192.168.15.254;

                name-server {           

                    8.8.8.8;            

                    8.8.4.4;            

                }                       

                router {                

                    192.168.1.1;        

                }                       

            }                           

            pool 192.168.16.0/24 {      

                address-range low 192.168.16.1 high 192.168.16.254;

                exclude-address {       

                    192.168.16.1;       

                }                       

                name-server {           

                    8.8.8.8;            

                    8.8.4.4;            

                }                       

                router {                

                    192.168.16.1;       

                }                       

                propagate-settings irb.0;

            }                           

        }                               

    }                                   

    syslog {                            

        archive size 100k files 3;      

        user * {                        

            any emergency;              

        }                               

        file messages {                 

            any critical;               

            authorization info;         

        }                               

        file interactive-commands {     

            interactive-commands error; 

        }                               

    }                                   

    max-configurations-on-flash 5;      

    max-configuration-rollbacks 5;      

    license {                           

        autoupdate {                    

            url https://ae1.juniper.net/junos/key_retrieval;

        }                               

    }                                   

    ntp {                               

        server us.ntp.pool.org;         

    }                                   

}                                       

security {                              

    screen {                            

        ids-option untrust-screen {     

            icmp {                      

                ping-death;             

            }                           

            ip {                        

                source-route-option;    

                tear-drop;              

            }                           

            tcp {                       

                syn-flood {             

                    alarm-threshold 1024;

                    attack-threshold 200;

                    source-threshold 1024;

                    destination-threshold 2048;

                    timeout 20;         

                }                       

                land;                   

            }                           

        }                               

    }                                   

    nat {                               

        source {                        

            rule-set nsw_srcnat {       

                from zone Mobify;       

                to zone Internet;       

                rule nsw-src-interface {

                    match {             

                        source-address 0.0.0.0/0;

                        destination-address 0.0.0.0/0;

                    }                   

                    then {              

                        source-nat {    

                            interface;  

                        }               

                    }                   

                }                       

            }                           

        }                               

    }                                   

    policies {                          

        from-zone Mobify to-zone Internet {

            policy All_Mobify_Internet {

                match {                 

                    source-address any; 

                    destination-address any;

                    application any;    

                }                       

                then {                  

                    permit;             

                }                       

            }                           

        }                               

    }                                   

    zones {                             

        security-zone Mobify {          

            interfaces {                

                ge-0/0/1.0 {            

                    host-inbound-traffic {

                        system-services {

                            ping;       

                            dhcp;       

                            https;      

                            ssh;        

                        }               

                    }                   

                }                       

            }                           

        }                               

        security-zone Internet {        

            interfaces {                

                ge-0/0/6.0 {            

                    host-inbound-traffic {

                        system-services {

                            ping;       

                        }               

                    }                   

                }                       

            }                           

        }                               

        security-zone telephone {       

            host-inbound-traffic {      

                system-services {       

                    dhcp;               

                    ping;               

                    https;              

                    ssh;                

                }                       

            }                           

            interfaces {                

                irb.0 {                 

                    host-inbound-traffic {

                        system-services {

                            dhcp;       

                            ping;       

                            https;      

                            ssh;        

                        }               

                    }                   

                }                       

            }                           

        }                               

    }                                   

}                                       

interfaces {                            

    ge-0/0/1 {                          

        unit 0 {                        

            family inet {               

                address 192.168.1.1/20; 

            }                           

        }                               

    }                                   

    ge-0/0/4 {                          

        gigether-options {              

            auto-negotiation;           

        }                               

        unit 0 {                        

            family ethernet-switching { 

                interface-mode trunk;   

                inner-vlan {            

                    members Telephony;  

                }                       

            }                           

        }                               

    }                                   

    ge-0/0/6 {                          

        unit 0 {                        

            family inet {               

                address 104.255.11.140/29;

            }                           

        }                               

    }                                   

    irb {                               

        unit 0 {                        

            family inet {               

                address 192.168.16.1/24;

            }                           

        }                               

    }                                   

}                                       

routing-options {                       

    static {                            

        route 0.0.0.0/0 next-hop 104.255.11.137;

    }                                   

}                                       

protocols {                             

    l2-learning {                       

        global-mode switching;          

    }                                   

}                                       

vlans {                                 

    Telephony {                         

        description telephones;         

        vlan-id 101;                    

        l3-interface irb.0;             

        switch-options {                

            interface ge-0/0/4.0;       

        }                               

    }                                   

}

any help is much appreciated!

Thanks in advance

-Alex

I am wanting to manage the Firewall from J-Web but am unable to, i get a 401 error in my browser.

set system services web-management http interface vlan.999
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.999

Vlan 999 is our management interface and this firewall is doing the routing for all of the vlans.

set interfaces vlan unit 999 family inet address 172.16.1.2/24 vrrp-group 99 virtual-address 172.16.1.1
set interfaces vlan unit 999 family inet address 172.16.1.2/24 vrrp-group 99 priority 200
set interfaces vlan unit 999 family inet address 172.16.1.2/24 vrrp-group 99 preempt
set interfaces vlan unit 999 family inet address 172.16.1.2/24 vrrp-group 99 accept-data

set vlans MGMT vlan-id 999
set vlans MGMT l3-interface vlan.999

set security zones security-zone MGMT host-inbound-traffic system-services all
set security zones security-zone MGMT host-inbound-traffic protocols all
set security zones security-zone MGMT interfaces vlan.999 host-inbound-traffic system-services https

Any help would be appreciated, im guessin that its maybe because the MGMT address is on the firewall and its creating a loop somehow.

If i have done something wrong then please let me know!

Hi,

2 SRX100's in a cluster. (IP addresses obfuscated in the following config.)

The problem I have is that the SRX doesn't respond to ARP requests for 109.3.4.88 from the upstream router (109.3.4.65), only 109.3.4.92. I also tried a simpler config with no proxy ARP and two IPs on the external interface (so basically just having the IPs 109.3.4.88 and 109.3.4.92) on the external interface just to see what happens. Again, the SRX cluster only ever responds to ARP requests on one of the IPs. 

Any ideas? Have I just made a simple config mistake? (I'm a SRX noob, so quite probably!)

TIA

Mark

## Last commit: 2016-10-25 17:25:53 UTC by root
version 12.1X44.5;
groups {
    node0 {
        system {
            host-name companysrx01;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 192.168.1.11/24;
                    }
                }
            }
        }
    }
    node1 {
        system {
            host-name companysrx02;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 192.168.1.12/24;
                    }
                }
            }
        }
    }
}
apply-groups "${node}";
system {
    root-authentication {
        encrypted-password "blah"; ## SECRET-DATA
    }
    services {
        ssh;
        web-management {
            http {
                interface fxp0.0;
            }
        }
    }
}
chassis {
    cluster {
        reth-count 2;
        redundancy-group 0 {
            node 0 priority 100;
            node 1 priority 1;
        }
        redundancy-group 1 {
            node 0 priority 100;
            node 1 priority 1;
            interface-monitor {
                fe-0/0/0 weight 255;
                fe-0/0/1 weight 255;
                fe-1/0/0 weight 255;
                fe-1/0/1 weight 255;
            }
        }
    }
}
interfaces {
    fe-0/0/0 {
        fastether-options {
            redundant-parent reth0;
        }
    }
    fe-0/0/1 {
        fastether-options {
            redundant-parent reth1;
        }
    }
    fe-1/0/0 {
        fastether-options {
            redundant-parent reth0;
        }
    }
    fe-1/0/1 {
        fastether-options {
            redundant-parent reth1;
        }
    }
    fab0 {
        fabric-options {
            member-interfaces {
                fe-0/0/5;
            }
        }
    }
    fab1 {
        fabric-options {
            member-interfaces {
                fe-1/0/5;
            }
        }
    }
    reth0 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 109.3.4.92/27;
            }
        }
    }
    reth1 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                address 10.201.1.253/24 {
                    arp 10.201.1.12 multicast-mac 03:bf:0a:c9:01:0c;
                }
            }
        }
    }
}
routing-options {
    static {
        route 10.1.1.0/24 next-hop 10.201.1.1;
        route 0.0.0.0/0 next-hop 109.3.4.65;
    }
}
security {
    address-book {
        global {
            address companysmtp01-int 10.201.1.15/32;
            address companysmtp01-ext 109.3.4.88/32;
            address companywap01-ext 109.3.4.88/32;
            address companywap01-int 10.201.1.16/32;
            address companysum01-int 10.201.1.1/32;
            address companyuranlb-ext 109.3.4.92/32;
            address companyuranlb-int 10.201.1.12/32;
        }
    }
    nat {
        source {
            rule-set rs-src-nat-from-zone-orange {
                from zone orange;
                to zone red;
                # Host-hide outbound traffic
                rule src-nat-outbound-all {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        static {
            rule-set rs-static-nat-from-zone-red {
                from zone red;
                rule static-nat-in-companywap01-http {
                    match {
                        destination-address-name companywap01-ext;
                        destination-port 80;
                    }
                    then {
                        static-nat {
                            prefix-name {
                                companywap01-int;
                                mapped-port 80;
                            }
                        }
                    }
                }
                rule static-nat-in-companywap01-https {
                    match {
                        destination-address-name companywap01-ext;
                        destination-port 443;
                    }
                    then {
                        static-nat {
                            prefix-name {
                                companywap01-int;
                                mapped-port 443;
                            }
                        }
                    }
                }
                rule static-nat-in-companysmtp01-smtp {
                    match {
                        destination-address-name companysmtp01-ext;
                        destination-port 25;
                    }
                    then {
                        static-nat {
                            prefix-name {
                                companysmtp01-int;
                                mapped-port 25;
                            }
                        }
                    }
                }
                rule static-nat-in-companywap01-49443 {
                    match {
                        destination-address-name companywap01-ext;
                        destination-port 49443;
                    }
                    then {
                        static-nat {
                            prefix-name {
                                companywap01-int;
                                mapped-port 49443;
                            }
                        }
                    }
                }
                rule static-nat-in-companyuranlb-https {
                    match {
                        destination-address-name companyuranlb-ext;
                        destination-port 443;
                    }
                    then {
                        static-nat {
                            prefix-name {
                                companyuranlb-int;
                                mapped-port 443;
                            }
                        }
                    }
                }
            }
        }
        proxy-arp {
            interface reth0.0 {
                address {
                    109.3.4.88/32;
                }
            }
        }
    }
    policies {
        from-zone red to-zone orange {
            policy inbound-internet-companysmtp01 {
                match {
                    source-address any;
                    destination-address companysmtp01-int;
                    application junos-smtp;
                }
                then {
                    permit;
                }
            }
            policy inbound-internet-companywap01 {
                match {
                    source-address any;
                    destination-address companywap01-int;
                    application [ junos-http junos-https custom-49443 ];
                }
                then {
                    permit;
                }
            }
            policy inbound-internet-companyuranlb {
                match {
                    source-address any;
                    destination-address companyuranlb-int;
                    application junos-https;
                }
                then {
                    permit;
                }
            }
        }
        from-zone orange to-zone red {
            policy outbound-permit-all {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone orange {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                reth1.0;
            }
        }
        security-zone red {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                reth0.0;
            }
        }
    }
}
applications {
    application custom-49443 {
        protocol tcp;
        destination-port 49443;
    }
}

{primary:node0}
root@companysrx01>

HI,

We have a srx1400 and an ex2200 connected together with a single cable.  We planned to create 3 vlans and make a single interface on the srx1400 (ge-0/0/1) a member of those 3 vlans and then make it a trunk which will connect to the EX2200 interface (ge-0/0/6) which is apart of 3 different vlans and is also in trunk mode.  We tested this setup on lab srx100 and an ex2200 it worked fine; however, when we tried set it up on our srx1400 we could not create vlans on it.  Is there way to get this setup to work on the srx1400?

Thanks!

Got a little bit confused about ALGs. Could somebody clarify?

1) What is the difference between <alg> and <application-protocol> in configuration?

ch@test# set applications application test term 1 alg ?
Possible completions:
dns Domain Name Service
ftp File Transfer Protocol
http Hypertext Transfer Protocol
https Hypertext Transfer Protocol
...

ch@test# set applications application test application-protocol ?
Possible completions:
dns Domain Name Service
ftp File Transfer Protocol
http Hypertext Transfer Protocol
https Hypertext Transfer Protocol
...

2) What for do I need <term> under application configuration? Why under application configuration I can refer only to <application-protocol> and under application->term to <alg>?

3) Do I need to explicitly refer to an application in a policy? Or using <application any> is enough?

It is not a pure ALG question, but not sure if I refer to <application any> in the policy what a system will do?

It will check traffic against all default applications? And if some application implies ALG, and traffic hits this application, ALG will take action?

Or the system will check traffic against this peice of configurations:

ch@test> show configuration groups junos-defaults applications application any
term t1 protocol 0;

(have no idea what <protocol 0> means; HOPOPT or just any ip protocol?)

And I will not see any ALGs in action?

4) What does that mean:

ch@test# run show security alg status
ALG Status :
DNS : Enabled
FTP : Enabled
H323 : Enabled
MGCP : Enabled
MSRPC : Enabled
PPTP : Enabled
RSH : Enabled
RTSP : Enabled
SCCP : Enabled
SIP : Enabled
SQL : Enabled
SUNRPC : Enabled
TALK : Enabled
TFTP : Enabled
IKE-ESP : Disabled

For example, I don't have any configured applications. So, that means that system already has predefined applications that use these ALGs. Or that just means that the system is eligible to use ALGs with status <Enabled> regardless whether they exist in configuration or not?

If yes and If ALG is <Disabled>, system is not eligeble to use this ALG even if some application refers to it?

5) Why some some ALGs/application protocols are not shown here:

ch@test# run show security alg status
ALG Status :
DNS : Enabled
FTP : Enabled
H323 : Enabled
MGCP : Enabled
MSRPC : Enabled
PPTP : Enabled
RSH : Enabled
RTSP : Enabled
SCCP : Enabled
SIP : Enabled
SQL : Enabled
SUNRPC : Enabled
TALK : Enabled
TFTP : Enabled
IKE-ESP : Disabled

For example, http/https.

6) ALGs monitor packets's payload, since they need to check the application level?
So they work in the same manner as AppID?

Edited: I don't mean that ALGs use the same algorithm as AppID. But the same approach. They wait for packets with payload, look inside and take some action after.

Hi I want to connect 4 servers to 4 ports on the SRX1500 and each port is assigned to VLAN with vlan-id "none" and a irb interface with a subnet to assign IPs to the servers.

will the setup work in SRX1500 ? also please check below the irb, vlan and port configuration.

IRB:

root> show configuration interfaces irb
unit 10 {
family inet {
address 10.10.10.1/24;
}
}

VLAN:

root> show configuration vlans
TEST {
vlan-id none;
l3-interface irb.10;

Interface example for one server:

root> show configuration interfaces ge-0/0/1
unit 0 {
family ethernet-switching {
vlan {
members TEST;
}
}
}

root> show vlans

Routing instance   VLAN name            Tag          Interfaces
default-switch            TEST                none

default-switch           default                   1

thanks

On an SRX running 12.3, what is the command to view raw unfiltered BPG routes as advertised by our peers?  "show route protocol bgp" only gives you the table entries after route filtering has been applied.

Dear all, 

I try install and config IDP on SRX cluster, 

First step, I download signature DB using: request security idp security-package download on the primary node

But when download complete, has the error: 

admin@FW-Internet-01> request security idp security-package download status
node0:
--------------------------------------------------------------------------
In progresslatforms.xml.gz 100 % 257 Bytes/ 257 Bytes

{primary:node0}
admin@FW-Internet-01> request security idp security-package download status
node0:
--------------------------------------------------------------------------
Done;Failed to sync to the secondary RE, errno: 1

{primary:node0}
admin@FW-Internet-01>

Next step, I try install signature, has the error:

admin@FW-Internet-01> request security idp security-package install
node0:
--------------------------------------------------------------------------
Will be processed in async mode. Check the status using the status checking CLI

node1:
--------------------------------------------------------------------------
Will be processed in async mode. Check the status using the status checking CLI

{primary:node0}
admin@FW-Internet-01>

{primary:node0}
admin@FW-Internet-01> request security idp security-package install status
node0:
--------------------------------------------------------------------------
Done;AI installation failed! Attack DB update failed!
Install application package version 2461 succeed.

node1:
--------------------------------------------------------------------------
Done;AI installation failed! Attack DB update failed!

{primary:node0}
admin@FW-Internet-01>

So it seem, the signature database download or install unsuccessful.

I process commands in primary node on cluster and before download I has check connection to update server Juniper is OK: 

admin@FW-Internet-01> request security idp security-package download check-server
node0:
--------------------------------------------------------------------------
Successfully retrieved from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:2797(Detector=12.6.160160603, Templates=2797)

{primary:node0}
admin@FW-Internet-01>

Please help me resolve this issuses, 

Many thanks

I have an issue with static nat. I was assigned /23 subnet for all static nat. My srx is connected to nexus 7k and /23 is advertised on nexus. I have used x.x.x.1 from /23 and created the nat and it is working fine. I have created one more nat with x.x.x.2 from /23 subnet and I can see the nat translations from hitcount. But I am not able to see any traffic on that nat IP.

Hi.

On the SRX100 with image version 12.1x44-d45.2, I could use the following command, to make sure, that only one computer could connect to an interface, by allowing the mac address:

ethernet-switching-options {

    secure-access-port {

        interface fe-0/0/1.0 {

            mac-limit 1 action drop;

            allowed-mac xx:xx:xx:xx:xx

On the SRX300 with image version 15.1x49-d50.3, the above command is not available.  What is the command on the SRX300 that replaces the command above, so I can only allow one computer to connect to an interface?

Thanks!

Hi all,

I have a pair of SRX500 and I need to set the 802.1p CoS bits to 000 on ALL out-going packets on a certain vlan ( vlanid 51).
(so that QoS is handeled on transport network conencted to my SRX's).

This is similar to post:
http://forums.juniper.net/t5/SRX-Services-Gateway/How-to-set-802-1p-Cos/m-p/299201#M43093

And the answer given by member PK would be, adapted to my case:

set class-of-service rewrite-rules ieee-802.1 class000 forwarding-class best-effort loss-priority high code-point 000
set class-of-service rewrite-rules ieee-802.1 class000 forwarding-class best-effort loss-priority medium-high code-point 000
set class-of-service rewrite-rules ieee-802.1 class000 forwarding-class best-effort loss-priority medium-low code-point 000
set class-of-service rewrite-rules ieee-802.1 class000 forwarding-class best-effort loss-priority low code-point 000
set class-of-service rewrite-rules ieee-802.1 class000 forwarding-class network-control loss-priority high code-point 000
set class-of-service rewrite-rules ieee-802.1 class000 forwarding-class network-control loss-priority medium-high code-point 000
set class-of-service rewrite-rules ieee-802.1 class000 forwarding-class network-control loss-priority medium-low code-point 000
set class-of-service rewrite-rules ieee-802.1 class000 forwarding-class network-control loss-priority low code-point 000
set class-of-service rewrite-rules ieee-802.1 class000 import default
set class-of-service interfaces ge-0/0/6 unit 51 rewrite-rules ieee-802.1 class000

Somethong I don't understand in the config proposed above:
The ieee-802.1 class includes the 2 forwarding-classes 'network-control' and 'best-effort'.
As the goal is to mark all packets, why don(t you plan statement for the 2 others forwarding-classes ?

admin@WALSF1# ...ewrite-rules ieee-802.1 test forwarding-class ?

Possible completions:
<class-name> Forwarding class name
assured-forwarding <<------
best-effort
expedited-forwarding <<------
network-control
[edit]
admin@WALSF1#

I means adding:

set class-of-service rewrite-rules ieee-802.1 class000 forwarding-class assured-forwarding loss-priority high code-point 000
set class-of-service rewrite-rules ieee-802.1 class000 forwarding-class assured-forwarding loss-priority medium-high code-point 000
set class-of-service rewrite-rules ieee-802.1 class000 forwarding-class assured-forwarding loss-priority medium-low code-point 000
set class-of-service rewrite-rules ieee-802.1 class000 forwarding-class assured-forwarding loss-priority low code-point 000
set class-of-service rewrite-rules ieee-802.1 class000 forwarding-class expedited-forwarding loss-priority high code-point 000
set class-of-service rewrite-rules ieee-802.1 class000 forwarding-class expedited-forwarding loss-priority medium-high code-point 000
set class-of-service rewrite-rules ieee-802.1 class000 forwarding-class expedited-forwarding loss-priority medium-low code-point 000
set class-of-service rewrite-rules ieee-802.1 class000 forwarding-class expedited-forwarding loss-priority low code-point 000

Thanks for your advises!
Fabien

here is the cluster :

  node0---node1

rg1 is primary in node1 since there is one reth down in node0(unhealthy)

rg0 is primary in node0 since the higher priority

1:now if contril link between node0 and node1 is down,what will happen(fabric link is good)?

does node0 change inactive redundancy groups 1 to priamy even there is an interface down in node0?

2:if control link is good ,but fabric link down

what will happen?

Sorry to bother you. At the beginning we had SSG320 to connect the entire network for internet browsing and only one mail server. Afterware, we like some remote site user to connect part of internal server, we got antoher SRX220 for dynamic VPN connection with another ISP connection (5 public IP address allow to use). Right now, we just add a new server with it's own network address and use one of public IP address left from this 5 from the ISP on SRX220. The connection is one server 192.168.0.10 to ge-0/0/1 and new server 192.168.0.30.30 to ge-0/0/2. How does I configure the SRX220 to allwo this two Server see each other only. If other 192.168.0.x server also need to see the new server, is those server also required to set their gateway to SRX220? Thanks in advance.

Pwshk

I always use the set firewall filter ... command, but I've seen that many people use the set firewall family inet filter ... command, and I cannot see difference between those commands.

I mean, both of them can be used in an in/out interface and, as I see, both of them could have the same match and actions commands...

I am a novice on the juniper firewall (SRX 240h). I have a working production juniper running 10 Vlans, I would like to add a few more Vlans. I have a couple of questions I hope someone can help me with, concerning the interfaces. How many sub-interfaces can you have? Is there a limit?

Here is a sampling of our interfaces with the Vlans:

set vlans Pod-1 vlan-id 100
set vlans Pod-1 interface ge-0/0/1.0
set vlans Pod-1 l3-interface vlan.100
set vlans Pod-2 vlan-id 200
set vlans Pod-2 interface ge-0/0/2.0
set vlans Pod-2 l3-interface vlan.200
set vlans Pod-3 vlan-id 300
set vlans Pod-3 interface ge-0/0/3.0
set vlans Pod-3 l3-interface vlan.300
set vlans Pod-4 vlan-id 400
set vlans Pod-4 interface ge-0/0/4.0
set vlans Pod-4 l3-interface vlan.400
set vlans Servers vlan-id 600
set vlans Servers interface ge-0/0/6.0
set vlans Servers l3-interface vlan.600
set vlans WAP vlan-id 500
set vlans WAP interface ge-0/0/5.0
set vlans WAP l3-interface vlan.500

If I were to add another Vlan could this work? 

• set vlans VehicleCompliance vlan-id 210
  set vlans VehicleCompliance interface ge-0/0/2.1
  set vlans VehicleCompliance l3-interface vlan.210
  set vlans DeckNew vlan-id 220
  set vlans DeckNew interface ge-0/0/2.2
  set vlans DeckNew l3-interface vlan.220

Or should the interface stay at ge-0/0/2.0?

Hi,

Aparently MACsec will now be supported on the new series SRX firewalls. Has anyone had experience on implimenting macsec on CCC or any supported platform. I am currious to know if it would work over VPLS or only CCC. With the support on the SRX has anyone implimented on there perhaps.

Thanks,

Hello,

I have just purchased an SRX220 to replace my home router. 

I am trying to setup a static route but Virgin Media who are my ISP won't give me the Gateway IP address. On a Cisco device I know that you can set a static route with an outgoing interface but can't find out anything on the web regarding this with Juniper.

I believe I have set the interface correctly as unsure of the IP address as they won't give me the details. Can someone confirm that this interface is set correclty to receive an IP address via DHCP....

ge-0/0/0 {
         unit 0 {
                 family inet {
                        dhcp;
                 }
         }
}

Is it possible to configure a static route with an outgoing interface? If not I think I may of just spent £300 for nothing.

Many Thanks

Peter

Hello,

Trying to see if someone can assist with a traffic/architecture issue:

I have several SRX's deployed which tunnel back to a central/hub ssg however under normal operations these remote firewalls and the devices behind them do not communicate with eachother directly

I have a need to open temporary communications between them so I've created rules on each, i've added a route on each to get to eachothers network.  There are already routes on that hub fw because as I mentioned it can communicate with each environment down their tunnels.

Below isthe output of the details section of the log in log viewer and if I am reading it correctly it looks as though this outbound traffic isnt even leaving my internal/vlan interface?



also below is a very crude but quick diagram of what I am trying to get going here.  I do have my internal interfaces on the srx's vlan'ed together hence the mention in the error of vlan.0

can anyone shed nay light on what I am missing?



I noticed on SRX1500 and SRX5400 that /var/log/wtmp isn't being created thus show log user gives

--------------------------------------------------------------------------
last: /var/log/wtmp: No such file or directory

Using Junos: 15.1X49-D50.3.

Anyone else?